Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
donnie
Explorer

tcpdump for site to site vpn traffic

Jump to solution

Hi all,

 

I am using checkpoint 5600 with R80.1. 

I have configured site to site vpn over internet on this checkpoint firewall with my branch office which is working fine.

To check the traffic, i tried using "tcpdump -ni eth1 host 19.168.1.1" where eth1 is my external interface to the internet but i don't see any attempts "to and fro". My site to site vpn is working. I suppose i am not seeing any traffic using that command because the traffic is encrypted. How do i check using tcpdump or any tcpdump equivalent method so that i can verify the "to and fro" traffic in the event of troubleshooting other than verifying the tunnel (using "vpn tu" command) is up. TIA!

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion
Champion

Hi @donnie 

use the following CLI command to check the VPN network packets:

# fwaccel off
# fw monirot -e "accept(host=192.168.1.1);"
# fwaccel on

You can find more about fw monitor in my article:
R80.x - cheat sheet - fw monitor

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

You can also view this with the following command:

# fw ctl zdebug + monitorall  | grep -A 5 -B 5 "192.168.1.1"

More read here:
"fw ctl zdebug" Helpful Command Combinations

 

 

View solution in original post

4 Replies
HenrikJ
Participant

I am not understanding the exact issue here.

You say the site-to-site tunnel is working?

Easiest way is just to check your normal logs, and see if the traffic you are looking for is being encrypted in the VPN community.

If you see the traffic, but it is not being encrypted in the community, then you'll have to verify that the VPN Domains in the community is correct, so the firewall knows to encrypt it into the tunnel.

I also recommend using fw monitor instead of tcp dump unless needed.
Remember disabling SecureXL before scanning though, as packet acceleration will hide most of the packets.
Please see this awesome post on the syntax (should be " in places where he has used ', just be wary of that).
https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/R80-20-cheat-sheet-fw-monitor/td-...

There's "FW Monitor SuperTool" which makes things easier, and also disables SecureXL if necessary.
https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/FW-Monitor-SuperTool/td-p/60098

Baasanjargal_Ts
Advisor

You can show your encrypted traffic through the site to site VPN. 

First. You can just search "VPN" on a "LOGS and Monitoring" section.

0 Kudos
Reply
HeikoAnkenbrand
Champion
Champion

Hi @donnie 

use the following CLI command to check the VPN network packets:

# fwaccel off
# fw monirot -e "accept(host=192.168.1.1);"
# fwaccel on

You can find more about fw monitor in my article:
R80.x - cheat sheet - fw monitor

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation. "fw ctl zdebug" is an R&D tool for testing software in development. Therefore, the insert should be used with care. It starts a debugging in the background until it is aborted with CTRL+C. On productive systems it can have a high performance impact. Furthermore, the debug buffer is not the largest.

You can also view this with the following command:

# fw ctl zdebug + monitorall  | grep -A 5 -B 5 "192.168.1.1"

More read here:
"fw ctl zdebug" Helpful Command Combinations

 

 

View solution in original post

Christopher__C2
Employee
Employee

Run tcpdump filtering for the IP address of the VPN peer.  (assuming 19.168.1.1 you attempted filtering for is an internal host).

On the outside interface if the firewall you should see ESP packets to/from the IP addresses of the two VPN gateways, these are the encrypted and encapsulated packets. Possibly a few packets on UDP/500 for periodic key exchanges / updates, and a few when first establishing the tunnel.

But if you see 4-5 packets on UDP/500 every so often (maybe 30 seconds or so), and no ESP packets, it's usually down, there's a problem. (and if you don't see anything, most likely you have a mistake in your tcpdump command).

0 Kudos
Reply