Professional Documents
Culture Documents
How to Debug
Your Host
Warren Verbanec UCDavis graduate Silicon Valley Local Two years in Nokias Product Line Support group
Hello Everybody!
Diffie-Hellman is key!
Remember, the problem is not just encrypting the messages- its keeping your keys safe in the long term
This is accomplished by renegotiating keys often in IPSecthis compartmentalizes the encryption and data exchange This means that secret keys must be exchanged often
Diffie-Hellman key exchange defines how to use public/private key pairs to transport your secret keys D-H group numbers define the strength of the public/private key encryption used- Check Point just added new Group support in HFA 55_10
AH
In the operational mode used in VPNs, AH wraps an IP packet (header and all) in an encryption envelope, then adds a new IP header This process is performed at a VPN gateway, and is undone at the terminating gateway at the other end of the secure tunnel AH uses IP Protocol 51- so its not UDP or TCP AH is not too relevant to the Check Point world
More AH
AH has several fields in its header:
Security Parameter Index is a numeric identifier that specifies a particular logical connection
This SPI is tracked on the gateways along with the encryption parameters associated with it (hash algorithm, bulk encryption algorithm, other parameters)
ESP
ESP is used for the bulk encryption
Its basically an algorithm-encrypted packet inside a PKI signature wrapper for authenticity ESP uses IP protocol 50 for the transport- this is what you commonly see in packet traces of tunnel traffic Has a SPI field, like AH, as well as the optionally utilized sequence number in its header ESP is the core method for bulk VPN data transmission with Check Point
ESP again
A new term: Each logical session that utilizes a unique SPI is referred to as a security association or SA And to clarify: AH is used by the encryption stack to verify data integrity, while ESP is used to perform the actual transport of the encrypted data You will generally see a single ESP packet for each encrypted packet inside the tunnel
IKE
IKE is the glue that binds ESP and HA It is the protocol that handles the initial key exchanges between gateways on either side of a VPN tunnel It defines the parameters utilized for an SA The number of parameters that can be defined by the IKE process is staggering- but Check Point only uses a small subset
SAs
SAs are the heart of debugging a VPN tunnel If you can understand the IKE initialization process, you will be able to track where individual SAs are breaking SAs are unidirectional (why is this never mentioned anywhere?) Remember: the SPI is the actual number we are referring to when we look at SAs
IKE Phases
Phase One is used to actually to the work of exchanging and negotiating the parameters that will be used
Can be done in the full Main Mode way, or an abbreviated Aggressive Mode, where some encryption security steps are skipped. Aggressive mode is not recommended, as it doesnt really save you much time (IKE is done irregularly)
Phase Two (aka Quick Mode) is used to negotiate the SAs that will be used for later communication
Quick Mode does not mean the same thing as aggressive mode
IKE Parameters
Check Point gateways require the following information to be set for each tunnel:
Bulk encryption algorithm for the ESP session Hash algorithms used in the IKE authentication Diffie-Hellman group to be used What the authentication source will be: Certificate or Shared Secret Other miscellaneous stuff (SA definitions on a pernetwork basis, etc..)
IKE packets
When you sniff IKE, youll usually see:
Six packets for Phase One Main Mode Three for the forbidden Aggressive Mode Three or Four packets for Phase Two
These steps are computation-intensive, and so they take a while An aside: what is Perfect Forward Secrecy? Nothing you need.
Tunnel Test?
At the end of IKE establishment, vpnd attempts to send some ICMP traffic across the tunnel. If the packet does not arrive, or if the IP addresses are mangled (not encrypted when sent, etc..), the gateway will report tunnel test failed This often fails due to NAT or encryption domain issues What is an encryption domain? The set of network addresses that are defined to be available on one side of a particular tunnel
Its 2AM
So, your VPNs downwhat do you do? I personally have a bit of a flowchart I follow, with increasing levels of interference in network operations Thats the real trade-offwhat do you reboot, and what will it effect? Often, config is the culprit, but CP is notorious for VPN bugs (although better in R55)
So..What to do?
Check Point provides several tools for debugging VPNs CLI commands: vpn debug ikeon is the most valuable This generates IKE.elg vpn debug on generates vpnd.elg IKE.elg is the most important- and Check Point provides a tool for translating its gibberish: Ikeview This is part of the infoview package available on their support site to CSPs
Ikeview
Breaks down Phase One and Two on a perpacket basis Useful for seeing mismatches in configuration Be sure to use the latest version of Infoview (3.5.3x) available from Check Point You will need to be a CSP to get access- talk to your Sales rep if you are an enterprise customer
Next Time
IKE.elg example Tunnelutil example Packet trace example Logging example What about ClusterXL? SecureRemote/Client debug Reporting an issue to Check Point
IPSEC in Depth
IPSEC: RFC2401-2409, 2451, etc What does it do?
Encapsulation (optional) Encryption (optional) Authentication Integrity Protection Replay Protection Key Management
IP Confidential
Data is signed by the sender in an unforgeable way More accurately, forging wouldnt work, as signatures are verifiable against the creator The Key management portion of IKE provides session negotiation and establishment, and sessions can be re-keyed automatically Authentication can be performed in many ways
Based on how a packet matches a selector, the gateway will protect (encrypt), drop, or bypass the packet Aka the pass, punt, or play decision
IP DATA
ESP trailer ESP Auth
IP DATA
ESP Header
ESP Trailer
Why padding? Some Algorithms (DES) require specific block sizes for Cipher Block Chaining, which speeds encryption.
Initialization Vector?
In order to prevent similarities in your cipher, its a good idea to mix some data from the last packet into the current packet. This prevents the same input from giving you the same output all the time (easy to break) The Initialization Vector is a chunk of the prior packets data that is fed into the next packets data to jumble the output
More details:
You dont really have to use IKE:
Enter many large ugly numbers Keep track of them and keep them secret Pass them from site to site Change them secretly
Have fun!
Main Mode
Key exchange uses Diffie Hellman method: public/private key pairs generated on the spot are used to initiate secure communication The initial packets of Main Mode describe HOW D-H will be used (encryption strength, etc). Not worth going into the math now, but assume that DH is secure enough to pass the keys used for later communication Once the secure keys are passed over the D-H link, then symmetric (non public/private) algorithms like 3DES or AES are used to pass the secure traffic
Authentication
After the DH establishment, after secure key generation and exchange, we tell eachother who we are Can be done with hashed passwords, certificates, or raw public keys Check Point only supports certs or passwords The hashing method used for the passwords is set and negotiated between the gateways Now that weve gone through secure channel generation and authentication, we can set up some SAs
QUICK MODE!
Four packets
First packet: a bunch of crypto stuff from initiator Second packet: a reply with more crypto stuff from the recipient Third packet: Essentially an ACK from the initiator Fourth packet: a second ACK to let the initiator know its ok to start transmitting
QM part 2
Hash type, SA type (ESP), IP information (encryption domains/selectors)
ACK HASH
IkeView (again!)
RFCs: 2408/2409
2408: provides ISAKMP framework
2409 IKE Rfc Both provide ascii header framework
Test1-fw can establish a VPN using Simplified to Traditional with Bgs-Cluster. Duplicating the rule base for two active VPN's, bgs-Argentina-fw and bgsSydney-fw gives the same error as I had received in the past. "Main Mode Validation timed out. Certificate, 0=fwman.smz23x". The initial phase from the remote firewall reports IKE: Mode completion. One thing noticed is that comparing bgs-Test1-fw and bgs-Sdyney-fw is that after the inital exchange of keys are made, Sydney attempts to connect to the management station using service FW1_ica_services serveral times and then the Validation time out is recorded and no attempt from the bgs-cluster to connect to the management station at all.. When test1-fw initiates the exchange of keys, the Text1-fw and the bgsCluster connect to the management station using the FW1_ica_service.
More troubleshooting..
1. Translation between new firewall (Sydney r55) and Lowell. Was not taking place - correct NAT rule, but no IP Addresses! (Changed global properties - NAT Manual UNCHECK) Fixed. *Specified UNCHECK translate client side / Manual NAT 2. FP3 cannot use preshared's with R55.
Current issues
Current issue: Vpnd maxes out and restarts
Fixed in HFA 11 for R55 and HFA03 for R55P Reason: Cyclic group reference ps -auxw:
USER root PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND 541 81.9 12.5 21596 31636 ?? R 2:02PM 0:41.24 vpnd 0 (vpn)
Cyclic what?
Suppose you have remote user groups, and that you have nested groups within groups (never a good idea)
Group A:
Subgroup 1 Subgroup 2 Subgroup 3
Subgroup 2:
Subgroup P Subgroup Q Group A
Thank You!