This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Brianpiraty_Ale
Contributor
‎2018-06-07 08:13 AM

site to site VPN

For IPsec tunnel troubleshooting, after disabling the secureXL, when I run fwmonitor  with src and dest IP address,what should I expect to see?

will I see both (i, I) and Both (o,O) for the  traffic?

3 Replies
Houssameddine_1
Collaborator
‎2018-06-07 08:37 AM

I always like to get packet captures without any filtering and I will filter later on in wireshark. 

For R77.30 and lower versions, if you are filtering for the interesting traffic src and destination you suppose to see the clear packet in the following positions i I o and O you suppose to see the ESP packet which will have the public IPs of the endpoint of the vpn.

For R80.10 since Corexl Is enabled for VPN in fw monitor checkpoint introduced 2 other positions e and E. because the traffic will be sent to a core that handles the connecion after that it will be forwarded to another core to do the encryption

you suppose to see the clear packet in position i I o O e and you will see the esp packet at E position.

Thanks

Brianpiraty_Ale
Contributor
‎2018-06-14 03:01 PM
In response to Houssameddine_1

will I see "e" also ?

0 Kudos
Petr_Hantak
Advisor
Advisor
‎2018-06-14 11:56 PM
In response to Brianpiraty_Ale

If you take a look on whole chain in your actual system, then you can se it is possible to run fw monitor on much more places then just default state.

Here is chain example (note - Acceleration enabled):

[Expert@FWHOST:0]# fw ctl chain
in chain (15):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: - 2000000 (f544bb00) (00000003) vpn decrypt (vpn)
2: - 1fffffa (f5466460) (00000001) l2tp inbound (l2tp)
3: - 1fffff8 (f5b3aca0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff2 (f54888f0) (00000003) vpn tagging inbound (tagging)
5: - 1fffff0 (f544a4a0) (00000003) vpn decrypt verify (vpn_ver)
6: - 1000000 (f5c0d820) (00000003) SecureXL conn sync (secxl_sync)
7: 0 (f5ad9390) (00000001) fw VM inbound (fw)
8: 2000000 (f5449a60) (00000003) vpn policy inbound (vpn_pol)
9: 10000000 (f5c18070) (00000003) SecureXL inbound (secxl)
10: 7f600000 (f5b2d990) (00000001) fw SCV inbound (scv)
11: 7f730000 (f5d40760) (00000001) passive streaming (in) (pass_str)
12: 7f750000 (f5f53920) (00000001) TCP streaming (in) (cpas)
13: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (in) (ipopt_res)
14: 7fb00000 (f633d240) (00000001) HA Forwarding (ha_for)
out chain (13):
0: -7f800000 (f5b395b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1ffffff (f5449260) (00000003) vpn nat outbound (vpn_nat)
2: - 1fffff0 (f5f53bb0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (f5d40760) (00000001) passive streaming (out) (pass_str)
4: - 1ff0000 (f54888f0) (00000003) vpn tagging outbound (tagging)
5: - 1f00000 (f5b3aca0) (00000001) Stateless verifications (out) (asm)
6: 0 (f5ad9390) (00000001) fw VM outbound (fw)
7: 2000000 (f5449270) (00000003) vpn policy outbound (vpn_pol)
8: 10000000 (f5c18070) (00000003) SecureXL outbound (secxl)
9: 1ffffff0 (f54670d0) (00000001) l2tp outbound (l2tp)
10: 20000000 (f544c600) (00000003) vpn encrypt (vpn)
11: 7f700000 (f5f53df0) (00000001) TCP streaming post VM (cpas)
12: 7f800000 (f5b392c0) (ffffffff) IP Options Restore (out) (ipopt_res)

SK for FW monitor is much more fine than in the past. So try to look there for examples and syntax - sk30583

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events