How To Troubleshoot VPN Issues in Site to Site

Similar documents
How To Import New Client MSI Files and Upgrade Profiles

How To Configure OCSP

How to Connect with SSL Network Extender using a Certificate

How To Configure IPSO as a DHCP Server

How To Configure and Tune CoreXL on SecurePlatform

Security Gateway Virtual Edition

Endpoint Security Release Notes

Check Point GO R75. Release Notes. 21 December Classification: [Public]

Remote Access Clients for Windows 32/64-bit

Endpoint Security webrh

SecuRemote for Windows 32-bit/64-bit

Data Loss Prevention. R75.40 Hotfix. Getting Started Guide. 3 May Classification: [Protected]

Endpoint Security. E80.30 Localized Version. Release Notes

How to Configure ClusterXL for L2 Link Aggregation

SmartWorkflow R Administration Guide. 29 May Classification: [Restricted]

Security Gateway for OpenStack

VPN-1 Power VSX VSX NGX R65 HFA 10. Release Notes

Security Acceleration Module

Remote Access Clients for Windows 32-bit/64-bit

R Release Notes. 6 March Classification: [Protected] [Restricted] ONLY for designated groups and individuals

How To Install SecurePlatform with PXE

Check Point Mobile VPN for ios

Security Gateway Virtual Edition

VSEC FOR OPENSTACK R80.10

ClusterXL R Administration Guide. 3 March Classification: [Protected]

Security Gateway 80 R Administration Guide

How To Install IPSO 6.2

Data Loss Prevention R71. Release Notes

VPN-1 Power/UTM. Administration guide Version NGX R

AAD - ASSET AND ANOMALY DETECTION DATASHEET

Endpoint Security webrh

Special Hotfix for R75.40VS

Check Point Document Security

VPN R76. Administration Guide. 27 August Classification: [Protected]

CheckPoint. Check Point Certified Security Administrator R71

Remote Access Clients for Windows 32-bit/64-bit

IPS R Administration Guide

Check Point IPS R75. Administration Guide

Endpoint Security Client

Course Modules for CCSE R77 (Check Point Certified Security Expert) Training Online

ClusterXL. Administration Guide Version R70

SmartView Monitor R75. Administration Guide

Quality of Service R75.40VS. Administration Guide. 15 July Classification: [Protected]

VPN R Administration Guide. 28 March Classification: [Protected]

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

23 July 2015 VPN. R77 Versions. Administration Guide. Classification: [Protected]

IPv6Pack R70. Administration Guide

VPN Configuration Guide. Juniper SRX-Series

Performance Pack. Administration Guide Version R70. March 8, 2009

Configuring site-to-site VPN between two VPN-1/FireWall-1 Gateways using mesh topology

Check Point GO R75. User Guide. 14 November Classification: [Public]

Check Point VSX. NGX R67 for R75. Administration Guide. 20 February Classification: [Protected]

Security Management Server. Administration Guide Version R70

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

NGX (R60) Link Selection VPN Deployments August 30, 2005

Check Point IPS. Administration Guide Version R70

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Check Point R75 Management Essentials Part 2. Check Point Training Course. Section Heading Index. Module 1 Encryption... 3

R Release Notes. 18 August Classification: [Public]

VPN Tracker for Mac OS X

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Service Managed Gateway TM. Configuring IPSec VPN

VPN Tracker for Mac OS X

VPN Configuration Guide. Cisco ASA 5500 Series

VPN-1 Power VSX NGX R65 Upgrade Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Endpoint Security Management Server

VPN Tracker for Mac OS X

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Version 2.0 HOW-TO GUIDELINES. Setting up a Clustered VPN between StoneGate and Check Point NG TECHN11SG2.1-3/4/03

VPN Tracker for Mac OS X

VPN Tracker for Mac OS X

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Virtual Tunnel Interface

Internet security and privacy

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Exam : Title : Accelerated CCSE NGX ( )... Version : Demo

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

VPN Quick Configuration Guide. D-Link

Q&As Check Point Certified Security Administrator

Configuration of an IPSec VPN Server on RV130 and RV130W

Installation and Upgrade Guide

Configuring and Using Dynamic DNS in SmartCenter

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Configuration Guide. For Managing EAPs via EAP Controller

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Virtual Private Networks

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

VPN-1 Pro Interoperability

How To Use ADP SecureXL on IPSO

IPS Event Analysis R Administration Guide

Upgrade Express Guide

Eventia Analyzer. Administration Guide Version R70. March 8, 2009

SonicWall Global VPN Client Getting Started Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Manual Key Configuration for Two SonicWALLs

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Transcription:

How To Troubleshoot VPN Issues in Site to Site 29 December 2010

2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=11841 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 12/29/2010 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on How To Troubleshoot VPN Issues in Site to Site ).

Contents Important Information... 3 How to Troubleshoot VPN Issues in Site to Site... 5 Objective... 5 Supported Versions... 5 Supported OS... 5 Supported Appliances... 5 Before You Start... 5 Related Documentation and Assumed Knowledge... 5 Impact on the Environment and Warnings... 5 Troubleshooting VPN issues in Site to Site:... 6 New Installation Checklist... 6 Failed Upgrade to R70...11...11...11...11...11 Previously Working Installations...12...12...12...12...12...13 Completing the Procedure... 13 Verifying... 13

Objective How to Troubleshoot VPN Issues in Site to Site Objective This document provides troubleshooting steps for site to site connections with Check Point gateways. It addresses site to site VPN troubleshooting in simplified mode only. Supported Versions R65, R70 Supported OS SecurePlatform, Windows Supported Appliances All gateway appliances Before You Start Related Documentation and Assumed Knowledge Basic understanding of network and security concepts/terminology. For example: IPSec, TCP/IP, routing, firewall, etc. VPN administration guides: R70: http://supportcontent.checkpoint.com/documentation_download?id=8751 http://supportcontent.checkpoint.com/documentation_download?id=8751 R65: http://supportcontent.checkpoint.com/documentation_download?id=7261 http://supportcontent.checkpoint.com/documentation_download?id=7261 Impact on the Environment and Warnings Be aware that changing VPN configuration on the management and installing the changes on the security gateways may effect currently established VPN tunnels. Check carefully if the change you are applying, is related to live VPN tunnels. It is advised to make all changes during a maintenance window. How to Troubleshoot VPN Issues in Site to Site Page 5

New Installation Checklist Troubleshooting VPN issues in Site to Site: In this section New Installation Checklist 6 Failed Upgrade to R70 10 Previously Working Installations 11 New Installation Checklist Note: The steps in this section are relevant only for new installations, not for an existing one that has previously worked. If your configuration: Stopped working after being upgraded to R70, please skip to: Failed Upgrade to R70 (on page 10) Worked before, please skip to: Previously Working Installations (on page 11) To verify that settings have been setup correctly: 1. Verify both gateways are in the same community: Troubleshooting VPN issues in Site to Site: Page 6

New Installation Checklist 2. If the gateway is externally managed, verify the following: a) If shared secret is used, verify that it is properly entered on both sides: b) If a certificate is used, verify that the certificate authority is properly defined: Troubleshooting VPN issues in Site to Site: Page 7

New Installation Checklist c) Verify that tunnel settings in the VPN community (negotiation times, encryption algorithms, data hashing algorithms) are the same on both ends: Troubleshooting VPN issues in Site to Site: Page 8

New Installation Checklist Troubleshooting VPN issues in Site to Site: Page 9

New Installation Checklist 3. Verify gateway encryption domain and topology are properly set: If the issue is still not resolved, contact the Check Point Support Center. Troubleshooting VPN issues in Site to Site: Page 10

Failed Upgrade to R70 Failed Upgrade to R70 After upgrading previous version of Check Point gateway/smartcenter to R70 and above, several manually edited configuration files are returned to their default settings, thus causing some VPN configurations to malfunction. The common issues are described below: vpn_route.conf setting are not passed correctly to the upgraded SmartCenter/gateway. The file needs to be modified again. You can use the same syntax used in R65. If file modification issues are encountered, refer to sk31021 (http://supportcontent.checkpoint.com/solutions?id=sk31021) You would like to exclude specific address from encryption domain (like peer GW IP), and you are using R70 or above user.def is irrelevant in this case under R70. In SmartCenter Server add the following lines at the end of the file: $FWDIR/lib/crypt.def: #define NON_VPN_TRAFFIC_RULES \ (dst=x.x.x.x) The address 'x.x.x.x' is the IP address of the remote peer which should be excluded from the VPN-1 gateway's remote encryption domain. Push the policy to VPN-1 gw Check that there are proper NAT rules for hide-nating the internal source addresses when accessing the remote peer address in clear from the VPN-1 site (e.g. NAT rule with src=internal net, dst=x.x.x.x -> src=hide behind fw external address, dst=origin) user.def previous modifications done in R65 in user.def that set max_subnet_per_range are not saved. The change in R70 must be applied in user.def.ngx_flo. Policy installation must be performed afterwards. VPND crashes or causes very high CPU consumption in R70 when using manually modified ipassigmet.conf. sk41786 (http://supportcontent.checkpoint.com/solutions?id=sk41786) Troubleshooting VPN issues in Site to Site: Page 11

Previously Working Installations Previously Working Installations To troubleshoot VPN issues on a previously working installation: Initiate VPN connectivity attempt by sending traffic from one site to another. Review SmartView tracker for potential errors. Based on that, review the common issues and their troubleshooting steps listed below: Site to site VPN connections between VPN-1 Power/UTM Security Gateways, configured as Center Gateways in Star VPN Community, not being encrypted. sk33318 (http://supportcontent.checkpoint.com/solutions?id=sk33318) Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails with error sk32648 (http://supportcontent.checkpoint.com/solutions?id=sk32648) After upgrade to R70 site to site VPN fails with "authentication error" message in SmartView tracker. Shared secret did not move in the upgrade process. Redefine the shared secret for the peer gateway. Traffic is dropped inside a VPN tunnel with the error: "packet should not have been decrypted". Consider the following scenario: GW1======VPN=======GW2 Mgmt1 mgmt2 On gateway 1, traditional policy is installed which encrypts all services from GW1 encryption domain to GW2 encryption domain. On gateway 2 simplified policy installed to allow encrypted traffic between the two gateways, however in the community settings there are several excluded services configured. The excluded services that are encrypted by GW1 are in the excluded services on GW2, hence the error "packet should not have been decrypted". GW2 thinks that this packet shoud have come in clear and not encrypted. To fix this - take the relevant service out of the excluded services so that the configuration matches what is configured on GW1. Troubleshooting VPN issues in Site to Site: Page 12

Previously Working Installations VTI error "encryption failure: Clear text packet should be encrypted" Edit the $FWDIR/conf/vpn_route.conf file on the SmartCenter, and declare each gateway's local domain to itself. Example: Suppose you have two gateways or clusters with VTI tunnels configured. One is named "satellite" and the other is named "center" Create two groups. One group will contain all of the "satellite" internal networks that participate in the tunnel, and the other group will contain all of the "center" internal networks that participate in the tunnel. Call these groups: "center_nets" and "satellite_nets" Configure vpn_route.conf as such: # destination router install_on center_nets center center satellite_nets satellite satellite In case the suggested steps fail to resolves the issue: Refer to sk34467 (http://supportcontent.checkpoint.com/solutions?id=sk34467) Gather the troubleshooting information described in the SK, and contact Check Point support. Completing the Procedure After each Smart Dashboard modification, push the policy. Verifying Ensure you can communicate between the sites both ways. Completing the Procedure Page 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback