cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

site to site VPN

For IPsec tunnel troubleshooting, after disabling the secureXL, when I run fwmonitor  with src and dest IP address,what should I expect to see?

will I see both (i, I) and Both (o,O) for the  traffic?

3 Replies
Highlighted

Re: site to site VPN

I always like to get packet captures without any filtering and I will filter later on in wireshark. 

For R77.30 and lower versions, if you are filtering for the interesting traffic src and destination you suppose to see the clear packet in the following positions i I o and O you suppose to see the ESP packet which will have the public IPs of the endpoint of the vpn.

For R80.10 since Corexl Is enabled for VPN in fw monitor checkpoint introduced 2 other positions e and E. because the traffic will be sent to a core that handles the connecion after that it will be forwarded to another core to do the encryption

you suppose to see the clear packet in position i I o O e and you will see the esp packet at E position.

Thanks

Re: site to site VPN

will I see "e" also ?

0 Kudos
Petr_Hantak
Silver

Re: site to site VPN

If you take a look on whole chain in your actual system, then you can se it is possible to run fw monitor on much more places then just default state.

Here is chain example (note - Acceleration enabled):

[Expert@FWHOST:0]# fw ctl chain
in chain (15):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: - 2000000 (f544bb00) (00000003) vpn decrypt (vpn)
2: - 1fffffa (f5466460) (00000001) l2tp inbound (l2tp)
3: - 1fffff8 (f5b3aca0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff2 (f54888f0) (00000003) vpn tagging inbound (tagging)
5: - 1fffff0 (f544a4a0) (00000003) vpn decrypt verify (vpn_ver)
6: - 1000000 (f5c0d820) (00000003) SecureXL conn sync (secxl_sync)
7: 0 (f5ad9390) (00000001) fw VM inbound (fw)
8: 2000000 (f5449a60) (00000003) vpn policy inbound (vpn_pol)
9: 10000000 (f5c18070) (00000003) SecureXL inbound (secxl)
10: 7f600000 (f5b2d990) (00000001) fw SCV inbound (scv)
11: 7f730000 (f5d40760) (00000001) passive streaming (in) (pass_str)
12: 7f750000 (f5f53920) (00000001) TCP streaming (in) (cpas)
13: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (in) (ipopt_res)
14: 7fb00000 (f633d240) (00000001) HA Forwarding (ha_for)
out chain (13):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1ffffff (f5449260) (00000003) vpn nat outbound (vpn_nat)
2: - 1fffff0 (f5f53bb0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (f5d40760) (00000001) passive streaming (out) (pass_str)
4: - 1ff0000 (f54888f0) (00000003) vpn tagging outbound (tagging)
5: - 1f00000 (f5b3aca0) (00000001) Stateless verifications (out) (asm)
6: 0 (f5ad9390) (00000001) fw VM outbound (fw)
7: 2000000 (f5449270) (00000003) vpn policy outbound (vpn_pol)
8: 10000000 (f5c18070) (00000003) SecureXL outbound (secxl)
9: 1ffffff0 (f54670d0) (00000001) l2tp outbound (l2tp)
10: 20000000 (f544c600) (00000003) vpn encrypt (vpn)
11: 7f700000 (f5f53df0) (00000001) TCP streaming post VM (cpas)
12: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (out) (ipopt_res)

SK for FW monitor is much more fine than in the past. So try to look there for examples and syntax - sk30583