Debug VPN sous CheckPoint SecurePlatform
SR septembre 17th, 2009
J’ai été amené aujourd’hui à débugger un lien VPN entre un FW CheckPoint et un FW Netasq.
Les logs ne mentionnaient qu’un échec de négociation lors de la phase 2.
Il existe quelques outils pour debuger sous SecurePlatform :
Tout d’abord activer les logs :
[gw02]# expert
Enter expert password:
You are in expert mode now.
[gw02]# vpn debug trunc
Enter expert password:
You are in expert mode now.
[gw02]# vpn debug trunc
Les fichiers de trace se trouvent dans /opt/CPsuite-R65/fw1/log : ike.elg et vpnd.elg
Ne pas oublier ensuite d’arreter les traces (qui contiennent les clés de sessions, les secrets DH,etc..)
[Expert@gw02]# vpn debug off
[Expert@gw02]# vpn debug ikeoff
[Expert@gw02]# vpn debug ikeoff
Enfin, il existe un outil en ligne de monitoring des tunnels : vpn tu :
[Expert@gw02]# vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
1
Peer 192.168.1.20, user md5 5abbf151d8431f7d:
1. IKE SA <772a0b9281e8fef7,c375b55916e96435>:
Peer 81.XXX.YYY.100:
1. IKE SA <2371c3561e2e4981,c5e66dc0594a3333>:
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
1
Peer 192.168.1.20, user md5 5abbf151d8431f7d:
1. IKE SA <772a0b9281e8fef7,c375b55916e96435>:
Peer 81.XXX.YYY.100:
1. IKE SA <2371c3561e2e4981,c5e66dc0594a3333>:
On peut également lister les phases 2 :
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
2
Peer 192.168.1.20, user md5 5abbf151d8431f7d:
Peer 81.XXX.YYY.100:
INBOUND:
1. 0x59084089
OUTBOUND:
1. 0xe0bae2b
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
2
Peer 192.168.1.20, user md5 5abbf151d8431f7d:
Peer 81.XXX.YYY.100:
INBOUND:
1. 0x59084089
OUTBOUND:
1. 0xe0bae2b
Vous aurez remarqué l’option pour nettoyer les phases 1 et 2 d’un même peer (option 7).