VPN Troubleshooting

VPN Problems

Links & Infos

IKEv2

Internet Key Exchange Protocol Version 2 (IKEv2)
https://tools.ietf.org/html/rfc5996

Check Point Probleme mit IKEv2

Site to Site using IKEv2 fails with "None of the traffic selectors match the conection"
https://support.checkpoint.com/results/sk/sk157473

How do I change the local id for an IKEv2 IPsec VPN?
https://community.checkpoint.com/t5/Remote-Access-VPN/How-do-I-change-the-local-id-for-an-IKEv2-IPsec-VPN/m-p/14786

Unauthorized VPN access to internal networks via IKEv2 tunnel (CVE-2019-8456)
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk149892

IKEv2 negotiation for Site-to-Site VPN tunnel with 3rd party peer fails if IKEv2 SA payload contains more than 8 proposals
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk112139

When Check Point peer is initiator of IKEv2 negotiation, FQDN not being sent
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108817

Debugging IKEv2 on Check Point

Link

What is the IKEView Utility ?
https://support.checkpoint.com/results/sk/sk30994

How to collect a debug for VPN issues
https://support.checkpoint.com/results/sk/sk180488

Debugging Description

Use Ike debug to validate and understand how both devices are negotiating the parameters

disable acceleration if you can:

fwaccel off
vpn debug trunc ALL=5
ike debug trunc
ike debug on TDERROR_ALL_ALL=5

Get the file $FWDIR/log/legacy_ikev2.xmll and check the proposal for both side.
Read the file $FWDIR/log/vpnd.elg and try to find any inconsistencies.

IKE is the same for all players, the problem is configuration. Many times, the devices try to send parameters differently of what you expect they do.
Check Point firewalls try to summarize the networks inside the encryption domain, this is called supernetting.
It will try to summarize at maximum possible and will send that summarization in place of original one.
If you have two subnets /24 it will try to send a /23.
Route based VPN is more flexible than domain based and you can have both configured. Use it if you can.
There's a new version for ikeview.exe capable to read $FWDIR/log/ikev2.xmll. (https://support.checkpoint.com/results/sk/sk30994)
Check on support center and if possible use its the best tool to troubleshoot VPN problems on Check Point side.
Disable debug after all

fwaccel on
vpn debug off

Network Ports used for communication

Log Files location Check Point

Useful CLI Commands Check Point

Export/Import Policy Package

Useful Smartlog Queries

Useful SNMP OIDs (VSX)

Threat Prevention API

GAIA - Easy execute CLI commands on all gateways simultaneously

Threat Prevention Cyber Attacks Dashboard Template

DOS & DDOS Prevention, Mitigation

Export Syslog Messages

Missing feature - Global search across multiple CMA

Show logging using the web interface

Managing partition sizes via LVM manager on Gaia OS

SmartConsole cli parameters

Jump to Rule Number or UID

SmartConsole: Clear disconnected sessions

Initiating manual cluster failover

How to migrate Custom Queries from one SmartView Tracker to another

Check Point Log Export

After policy install: UDP packet that belongs to an old session drops

How to copy a file from a Check Point firewall

CPView Utility and High Load Traffic

IPS Troubleshooting

Limitation of 251 Inline Layers

Packetpushers with SQLNet

Show interface speed and duplex as a list

VPN Troubleshooting

Threat Extraction Troubleshooting

Check Point Links & Tools

VPN Troubleshooting

VPN Problems

Links & Infos

IKEv2

Check Point Probleme mit IKEv2

Debugging IKEv2 on Check Point

Link

Debugging Description

No Comments