This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
T_L
Contributor
‎2022-06-29 03:56 PM

IPSec VPN Tunnel Initiation

Good Afternoon/ Evening!

I have a two-part-er I hope is a 'simple one' for everyone!

We have a couple dozen 3rd Party/ Interop IPSec tunnels from customers that all terminate on my CP gateway cluster_R81.10 MGT / R80.40 GWs. Outside of the normal interop weirdness that pops up when building them or troubleshooting them from time to time, everything is solid.

We recently set up a new tunnel that was stuck in phase 1 and we were convinced that we were sending the ISAKMP /key install traffic and receiving no response (captures/ debugs, etc)  --  and the techs on the 3rd party side (Fortinet)  believed they were the ones sending the traffic and getting no response. It turned out to be an ISP network issue.

- But it got us wondering how to determine which side is actually the tunnel 'initiator' - or does this concept not really apply?

- And that ties into the second part -- if you are using Smart View to troubleshoot a tunnel that does not appear at all (because it is 'down) - OR, using the CLI and the < vpn tu > commands to troubleshoot, but there are no IKE/ IPSec SAs for the specific tunnel - Is there any manual intervention that can be taken?   You can't reset a tunnel that is not there -- and you can't delete any IKE/IPsec SAs that are not there. 

Thanks!!

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2022-06-29 05:53 PM

Well, if tunnel is not initiating, doing a reset wont do anything. You can rung below debug and review ike.elg file

from gw expert mode ->

vpn debug trunc

vpn debug ikeon

generate traffic

vpn debug ikeoff

Check $FWDIR/log dir for ike.elg and vpnd* files

Andy

0 Kudos
T_L
Contributor
‎2022-06-29 08:01 PM
In response to the_rock

We run those with all standard IPSec tunnel troubleshooting.  When we view the files we can see that our side is sending the phase 1 traffic - and that data corresponds to the packet captures that we run concurrently.

 

 

0 Kudos
Vladimir
Champion
Champion
‎2022-06-29 08:31 PM

Imho, the concept of initiator should not really apply when we are talking about ability to establish tunnel.

The de facto initiator is another matter, as it should be the client side.

In terms of what you can see in the logs before the tunnel is established, I'd look for any traffic between public IPs of your gateway and that of interoperable device. It may help to increase the granularity of logs to milliseconds (there is an sk for that).

If the first connection is an inbound one, it is them that initiate the traffic, if it is outbound, it's you.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events