topic Re: site to site VPN in General Topics

site to site VPN

Brianpiraty_Ale — Thu, 07 Jun 2018 15:13:53 GMT

For IPsec tunnel troubleshooting, after disabling the secureXL, when I run fwmonitor with src and dest IP address,what should I expect to see?

will I see both (i, I) and Both (o,O) for the traffic?

Re: site to site VPN

Houssameddine_1 — Thu, 07 Jun 2018 15:37:00 GMT

I always like to get packet captures without any filtering and I will filter later on in wireshark.

For R77.30 and lower versions, if you are filtering for the interesting traffic src and destination you suppose to see the clear packet in the following positions i I o and O you suppose to see the ESP packet which will have the public IPs of the endpoint of the vpn.

For R80.10 since Corexl Is enabled for VPN in fw monitor checkpoint introduced 2 other positions e and E. because the traffic will be sent to a core that handles the connecion after that it will be forwarded to another core to do the encryption

you suppose to see the clear packet in position i I o O e and you will see the esp packet at E position.

Thanks

Re: site to site VPN

Brianpiraty_Ale — Thu, 14 Jun 2018 22:01:08 GMT

will I see "e" also ?

Re: site to site VPN

Petr_Hantak — Fri, 15 Jun 2018 06:56:22 GMT

If you take a look on whole chain in your actual system, then you can se it is possible to run fw monitor on much more places then just default state.

Here is chain example (note - Acceleration enabled):

[Expert@FWHOST:0]# fw ctl chain
in chain (15):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: - 2000000 (f544bb00) (00000003) vpn decrypt (vpn)
2: - 1fffffa (f5466460) (00000001) l2tp inbound (l2tp)
3: - 1fffff8 (f5b3aca0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff2 (f54888f0) (00000003) vpn tagging inbound (tagging)
5: - 1fffff0 (f544a4a0) (00000003) vpn decrypt verify (vpn_ver)
6: - 1000000 (f5c0d820) (00000003) SecureXL conn sync (secxl_sync)
7: 0 (f5ad9390) (00000001) fw VM inbound (fw)
8: 2000000 (f5449a60) (00000003) vpn policy inbound (vpn_pol)
9: 10000000 (f5c18070) (00000003) SecureXL inbound (secxl)
10: 7f600000 (f5b2d990) (00000001) fw SCV inbound (scv)
11: 7f730000 (f5d40760) (00000001) passive streaming (in) (pass_str)
12: 7f750000 (f5f53920) (00000001) TCP streaming (in) (cpas)
13: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (in) (ipopt_res)
14: 7fb00000 (f633d240) (00000001) HA Forwarding (ha_for)
out chain (13):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1ffffff (f5449260) (00000003) vpn nat outbound (vpn_nat)
2: - 1fffff0 (f5f53bb0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (f5d40760) (00000001) passive streaming (out) (pass_str)
4: - 1ff0000 (f54888f0) (00000003) vpn tagging outbound (tagging)
5: - 1f00000 (f5b3aca0) (00000001) Stateless verifications (out) (asm)
6: 0 (f5ad9390) (00000001) fw VM outbound (fw)
7: 2000000 (f5449270) (00000003) vpn policy outbound (vpn_pol)
8: 10000000 (f5c18070) (00000003) SecureXL outbound (secxl)
9: 1ffffff0 (f54670d0) (00000001) l2tp outbound (l2tp)
10: 20000000 (f544c600) (00000003) vpn encrypt (vpn)
11: 7f700000 (f5f53df0) (00000001) TCP streaming post VM (cpas)
12: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (out) (ipopt_res)

SK for FW monitor is much more fine than in the past. So try to look there for examples and syntax - sk30583