Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

vpn debugging

DEBUGGING INSTRUCTIONS:

From the command line ( if cluster, active member )

vpn debug on
vpn debug ikeon
vpn tu

select the option to delete IPSEC+IKE SAs for a given peer (gw) Try the traffic to bring up the tunnel

vpn debug ikeoff
vpn debug off

Log Files are

$FWDIR/log/ike.elg
$FWDIR/log/vpnd.elg

COMMON MESSAGES:

According to the Policy the Packet should not have been decrypted

  • The networks are not defined properly or have a typo
  • Make sure VPN domains under gateway A are all local to gateway A
  • Make sure VPN domains under gateway B are all local to gateway B

Wrong Remote Address

Failed to match proposal

sk21636 – cisco side not configured for compression

No response from peer

  • check encryption domains.
  • remote end needs a decrypt rule
  • remote firewall not setup for encryption
  • something is blocking communication between VPN endpoints
  • Check UDP 500 and protocol 50

No Valid SA

  • both ends need the same definition for the encrytpion domain.
  • sk19243 – (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def
  • likely phase2 settings
  • cisco might say ‘no proxy id allowed”
  • Disable NAT inside VPN community
  • Support Key exchange for subnets is properly configured
  • Make sure firewall external interface is in public IP in general properties

No Proposal chosen

  • sk19243 – usually caused when a peer does not agree to VPN Domain or subnet mask
  • make sure that encryption and hash match as well in Phase 2 settings

Cannot Identify Peer (to encryption connection)

  • sk22102 – rules refer to an object that is not part of the local firewalls encryption domain
  • may have overlapping encryption domains
  • 2 peers in the same domain
  • sk18972 – explains overlapping

Invalid ID

  • sk25893 – Gateway: VPN-> VPN Advanced, Clear “Support key exhcnage for subnets”, Install policy

Authentication Failure

  • Payload Malformed
  • check pre shared secrets

RESPONDER-LIFETIME

As seen in ike debugs, make sure they match on both ends

Invalid Certificate

  • sk17106 – Remote side peer object is incorrectly configured
  • sk23586 – nat rules are needed
  • sk18805 – multiple issues, define a static nat, add a rule, check time
  • sk25262 – port 18264 has problems
  • sk32648 – port 18264 problems v2
  • sk15037 – make sure gateway can communicate with management

No Valid CRL

  • sk32721 – CRL has expired, and module can’t get a new valid CRL

Could not get SAs from packet

FW MONITOR NOTES

  • packet comes back i I o O
  • packet will be ESP between o and O

Basic Config Checks:

Accept FW-1 Control Connections

VPN domains

  • setup in the topology of that item
  • using topology is recommended, but you must define
  • looking for overlap, or missing networks.
  • Check remote and local objects.

Encryption Domains

  • your firewall contains your networks
  • their firewall contains their networks

Rule Setup

  • you need a rule for the originator.
  • Reply rule is only required for 2 way tunnel

Preshared secret or certificate

  • Make sure times are accurate

Security rulebase

  • make sure there are rules to allow the traffic

Address Translation

  • be aware that this will effect the Phase 2 negotiations
  • most people disable NAT in the community

Community Properties

  • Tunnel management, Phase1 Phase2 encrypt settings.

Routing

  • make sure that the destination is routed across the interface that you want it to encrypt on
  • you need IP proto 50 and 51 fo IPSEC related traffic
  • you need port 500 UDP for IKE
  • netstat -rn and look for a single valid default route

Smartview Tracker Logs

  • purple = encrypted
  • red = dropped
  • green = no encryption

Modes

TRADITIONAL MODE

  • can’t VPN Route
  • encryption happens when you hit explicit rule
  • rules must be created

SIMPLIFIED MODE

  • VPN Communities
  • Encryption happens at rule 0
  • rules are implied

CHECKLIST

  • Define encryption domains for each site
  • Define firewall workstation objects for each site
  • Configure the gateway objects for the correct encryption domain
  • Configure the extranet community with the appropriate gateways and objects
  • Create the necessary encryption rules.
  • Configure the encryption properties for each encryption rule.
  • Install the security Policy

IKE PACKET MODE QUICK REFERENCE

  • – > outgoing
  • < – incoming

PHASE 1 (MAIN MODE)

  • 1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)
  • 2 < agree on one encryption & hash, responder cookie (clear text)
  • 3 > random numbers sent to prove identity (if it fails here, reinstall)
  • 4 < random numbers sent to prove identity (if it fails here, reinstall)
  • 5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets
  • 6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets

PHASE 2 (QUICK MODE)

  • 1 > Use a subnet or a host ID, Encryption, hash, ID data
  • 2 < agrees with it’s own subnet or host ID and encryption and hash
  • 3 > completes IKE negotiation

GOOD SKS to KNOW

  • sk31221 – The NGX Advanced Troubleshooting Reference Guide (ATRG)
  • sk26362 – Troubleshooting MTU related issues
  • sk30509 – Configuring VPN-1/FireWall-1
  • sk31567 – What is ike.elg?
  • sk20277 – “Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01)” appears
  • sk31279 – Files copied over encrypted tunnel displaying error: “network path is too deep”
  • sk32648 – Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails
  • sk19243 – largest possible subnet even when the largest_possible_subnet option is set to false
  • sk31619 – VPN tunnel is down troubleshooting