Debug VPN sous CheckPoint SecurePlatform

septembre 17, 2009  |   Blog   |     |   Commentaires fermés sur Debug VPN sous CheckPoint SecurePlatform

J’ai été amené aujourd’hui à débugger un lien VPN entre un FW Check Point et un FW Netasq.
Les logs ne mentionnaient qu’un échec de négociation lors de la phase 2.

Il existe quelques outils pour débugger sous SecurePlatform.
Tout d’abord activer les logs :

 
[gw02]# expert Enter expert password: You are in expert mode now.
[gw02]# vpn debug trunc

Les fichiers de trace, ike.elg et vpnd.elg, se trouvent dans /opt/CPsuite-R65/fw1/log.
Ne pas oublier ensuite d’arrêter les traces (qui contiennent les clés de sessions, les secrets DH,etc..)

[Expert@gw02]# vpn debug off [Expert@gw02]# vpn debug ikeoff

Enfin, il existe un outil en ligne de monitoring des tunnels, vpn tu :

 
[Expert@gw02]# vpn tu
********** Select Option **********
 (1) List all IKE SAs
 (2) List all IPsec SAs
 (3) List all IKE SAs for a given peer (GW) or user (Client)
 (4) List all IPsec SAs for a given peer (GW) or user (Client)
 (5) Delete all IPsec SAs for a given peer (GW)
 (6) Delete all IPsec SAs for a given User (Client)
 (7) Delete all IPsec+IKE SAs for a given peer (GW)
 (8) Delete all IPsec+IKE SAs for a given User (Client)
 (9) Delete all IPsec SAs for ALL peers and users
 (0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
1
Peer 192.168.1.20, user md5 5abbf151d8431f7d;
1. IKE SA <772a0b9281e8fef7,c375b55916e96435>:
Peer 81.XXX.YYY.100:
1. IKE SA <2371c3561e2e4981,c5e66dc0594a3333>:

On peut également lister les phases 2 :

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

2

Peer 192.168.1.20, user md5 5abbf151d8431f7d:

Peer 81.XXX.YYY.100:
INBOUND:
1. 0x59084089
OUTBOUND:
1. 0xe0bae2b

Vous aurez remarqué l’option pour nettoyer les phases 1 et 2 d’un même peer (option 7).

Les commentaires sont fermés.