Cpug Ike1 Tutorial

8/2/2019 Cpug Ike1 Tutorial

1/58

CPUG: THE CHECK POINT USER

GROUP

How to Debug

IKE and IPSECAn Abbreviated Guide

ByWarren Verbanec


2/58

Your Host

Warren Verbanec

UCDavis graduate

Silicon Valley Local Two years in Nokias

Product LineSupport group

Hello Everybody!


3/58

Goals for tonight

Eat free food

Win raffle

Discuss how Check Point implementsIKE and IPSec

Review available troubleshooting tools

Provide practical examples


4/58

First, a bit of review

What is IKE and IPSEC (in our context)?

Generally speaking, IKE is a method for

securely exchanging encryption ciphersthat will be used in a later encryptedsession

IPSec is an overall term used to describeencrypted data communication over IP,using the keys exchanged with IKE


5/58

This is Part One

IKE and IPSec is a huge topic. Theres nofeasible way to cover it in of an hour

Therefore, Part One will provide a basicintroduction to only the concepts required towork with Check Point debugging

Part Two will provide hands-on examples oftroubleshooting the application

Part Two will be presented next month


6/58

Whats the big deal?

These are complex protocols ratified bymultiple international bodies

Lots of configurable parameters Generally define a framework for security,

while allowing for advances in cryptography

MD5 collision demonstates need for expandability

http://eprint.iacr.org/2004/199.pdf

Thus, debugging and configuration is hard
http://eprint.iacr.org/2004/199.pdfhttp://eprint.iacr.org/2004/199.pdf


7/58

How does encryption work?

In its basic form, cryptography entails the addition oftwo messages to make a new, unreadable message

Message1 + Key Message = Cipher

If you know the Key Message, you can decode the

cipher by subtracting the Key information from thecipher

Computers are good at this, and can do it veryquickly- say, on a packet by packet basis

But this means that you have to keep the secret keysafe

This makes the process difficult- generally speaking,if you lose the key to the bad guys, ALL informationever encrypted with that key is now readable


8/58

Basic crypto applications

Algorithms: DES, AES, 3DES

Used for actual reversible encryption

non-entropic, reversible operations

Requires a unique secret key for the encryptor anddecryptor

Hashes: SHA-1, MD5

Used to generate a unique mathematical summary valuefor a given dataset

Entropic, non-reversible operation Used to authenticate a data set

Can be combined with a secret key value to create acustom Hash- ensures that your hash was created bysomeone you trust.


9/58

How does SSL differ?

SSL is based on PKI, which uses public/private keypairs- using entirely different math

Designed to enable secure transfer of data (like atemporary crypto key) to someone you dont

necessarily trust IKE/IPSec does not use PKI, as it is inherently less

safe- and designed for e-commerce use

Actually, PKI-like key exchange is used in somelimited ways in IKE, but the core of IPSec is notbased on public/private key exchange

A discussion of PKI is beyond the scope of thispresentation

A good PKI tutorial is:

http://www.opengroup.org/messaging/G260/pki_tutorial.htm


10/58

That being said PKI uses public/private key pairs

Anything encrypted with the private key is readable with thepublic key

Anything encrypted with the public key is readable with theprivate key

Anything encrypted with the public key is NOT readable withthe public key

The core of IPSec uses a single key- anything encrypted with itis readable only with the same key

Diffie-Hellman key exchange, and PKI certificates are used inIKE and IPSec, but in a limited way by Check Point

The extent to which public/private key exchange is used inIPSec will be discussed later


11/58

So, how does a Hash fit in?

A cryptographic hash is used to derive amathematical summary value for a set ofdata

Data hashed with a particular algorithmgenerates a unique output value

This value has a one-to-one correlation with

its data set- this ensures that if a data set isaltered, its hash value will change

This is good for ensuring data integrity


12/58

Diffie-Hellman is key! Remember, the problem is not just encrypting the

messages- its keeping your keys safe in the longterm This is accomplished by renegotiating keys often in IPSec-

this compartmentalizes the encryption and data exchange This means that secret keys must be exchanged often

Diffie-Hellman key exchange defines how to usepublic/private key pairs to transport your secret keys

D-H group numbers define the strength of thepublic/private key encryption used- Check Point justadded new Group support in HFA 55_10


13/58

And now, IPSec!

There are three parts to IPSec:AH- authentication header- provides

session security at a sophisticated levelby checking data integrity and protectingagainst replay attacks

ESP- encapsulating security payload-

provides the bulk data encryption method IKE- handles the exchange of secret keys

used in the prior two categories


14/58

AH

In the operational mode used in VPNs, AHwraps an IP packet (header and all) in anencryption envelope, then adds a new IP

header This process is performed at a VPN gateway,and is undone at the terminating gateway atthe other end of the secure tunnel

AH uses IP Protocol 51- so its not UDP orTCP

AH is not too relevant to the Check Pointworld


15/58

More AH

AH has several fields in its header: Security Parameter Index is a numeric

identifier that specifies a particular logical

connection This SPI is tracked on the gateways along with

the encryption parameters associated with it(hash algorithm, bulk encryption algorithm,other parameters)

Sequence number field is used to trackindividual packets Optionally used to protect against replay attacks


16/58

ESP

ESP is used for the bulk encryption

Its basically an algorithm-encrypted packet inside

a PKI signature wrapper for authenticity ESP uses IP protocol 50 for the transport- this is

what you commonly see in packet traces of tunneltraffic

Has a SPI field, like AH, as well as the optionallyutilized sequence number in its header

ESP is the core method for bulk VPN datatransmission with Check Point


17/58

ESP again

A new term: Each logical session that utilizesa unique SPI is referred to as a security

association or SA And to clarify: AH is used by the encryption

stack to verify data integrity, while ESP isused to perform the actual transport of the

encrypted data You will generally see a single ESP packet for

each encrypted packet inside the tunnel


18/58

IKE IKE is the glue that binds ESP and HA

It is the protocol that handles the initial keyexchanges between gateways on either side

of a VPN tunnel

It defines the parameters utilized for an SA

The number of parameters that can be

defined by the IKE process is staggering- butCheck Point only uses a small subset


19/58

SAs

SAs are the heart of debugging a VPN tunnel

If you can understand the IKE initialization

process, you will be able to track whereindividual SAs are breaking

SAs are unidirectional (why is this nevermentioned anywhere?)

Remember: the SPI is the actual numberwe are referring to when we look at SAs


20/58

Understanding IKE Better IKE is a collective term for ISAKMP and Oakley

IKE establishes its own logical SA for its keyexchanges but this one is BIDIRECTIONAL

IKE uses UDP port 500, although you can force theuse of TCP

NOTE: IKE generally cannot be NATted, as the IPaddresses used by each participating gateway aretracked, and NAT looks like a replay attack

But this only applies to NAT of the IPSec traffic itself(post-encryption). Traffic can be NATted by thefirewall prior to being encrypted

However, many problems can occur while definingNATted encryption domains


21/58

The guts of key exchange

Sending Gateway determines a packet needs to be encrypted

Sending Gateway opens an IKE session with the Receivinggateway- this step defines the IKE SA

Diffie-Hellman key exchange uses hashing of a certificate orshared secret to authenticate each gateway, and sets up apublic/private data exchange channel

Sending and Receiving Gateways exchange protocol settings,algorithm settings, and secret keys using PKI

A new IPSec SA is defined for the ESP tunnel, and data begins

to be transferred New term: Selector- a logical construct similar to a route, that

allows the gateway to determine if an inbound packet is to beencrypted and passed over a particular SA


22/58

IKE Phases

Phase One is used to actually to the work ofexchanging and negotiating the parameters that willbe used Can be done in the full Main Mode way, or an abbreviated

Aggressive Mode, where some encryption security steps

are skipped. Aggressive mode is not recommended, as it doesnt really

save you much time (IKE is done irregularly)

Phase Two (aka Quick Mode) is used to negotiate theSAs that will be used for later communication Quick Mode does not mean the same thing as aggressive

mode


23/58

IKE Parameters

Check Point gateways require the followinginformation to be set for each tunnel:

Bulk encryption algorithm for the ESP session Hash algorithms used in the IKE authentication

Diffie-Hellman group to be used

What the authentication source will be: Certificate

or Shared Secret Other miscellaneous stuff (SA definitions on a per-

network basis, etc..)


24/58

IKE packets

When you sniff IKE, youll usually see: Six packets for Phase One Main Mode

Three for the forbidden Aggressive Mode Three or Four packets for Phase Two

These steps are computation-intensive,and so they take a while

An aside: what is Perfect ForwardSecrecy? Nothing you need.


25/58

Tunnel Test? At the end of IKE establishment, vpnd

attempts to send some ICMP traffic acrossthe tunnel. If the packet does not arrive, or ifthe IP addresses are mangled (not encryptedwhen sent, etc..), the gateway will report

tunnel test failed

This often fails due to NAT or encryptiondomain issues

What is an encryption domain? The set ofnetwork addresses that are defined to beavailable on one side of a particular tunnel


26/58

A final word on SAs SAs have a lifetime. The protocol

specification itself recommends several waysof doing this. Some vendors (Cisco) have

calculated lifetimes on a amount of trafficacross the tunnel basis. Check Point andmost everyone else does it on a time sincesession establishment basis

The point of having a lifetime is to forcerenegotiation of the secret keys on a regularbasis- thus increasing security

Any gateway that participates in an IPSec

session can manually end its own SAs


27/58

A bit more explanation..

Certificates are part of PKI, but you can usethem to authenticate a gateway in IKE

This is a limited utilization of PKI- and thecertificates are typically not public CAgenerated

Certificates are generally a better method of

security, as they have a set expiration date,and can be tracked centrally at a CA

Also, certificates are a larger data set fromwhich the authentication hash is generated-

thus increasing security


28/58

Its 2AM

So, your VPNs downwhat do you do?

I personally have a bit of a flowchart I follow,

with increasing levels of interference innetwork operations

Thats the real trade-offwhat do you reboot,and what will it effect?

Often, config is the culprit, but CP isnotorious for VPN bugs (although better inR55)


29/58

Bugs? What Bugs?

R55_10-14 FireWall-1

When a large database

was employed, vpnd

utlilized 100% of the

cpu and then exited

during:

initializaton

policy install,

simulaneous IKE with

many DAIP objects.


30/58

So..What to do?

Check Point provides several tools for debuggingVPNs

CLI commands:

vpn debug ikeon is the most valuable This generates IKE.elg

vpn debug on generates vpnd.elg

IKE.elg is the most important- and Check Point

provides a tool for translating its gibberish: Ikeview This is part of the infoview package available on their

support site to CSPs


31/58

Ikeview

Breaks down Phase One and Two on a per-packet basis

Useful for seeing mismatches in configuration Be sure to use the latest version of Infoview

(3.5.3x) available from Check Point

You will need to be a CSP to get access- talkto your Sales rep if you are an enterprisecustomer


32/58

Out of time? Uh-Oh

Perform vmstat and psaux to see if vpnd is hoggingresources

If so, HUP vpnd, or reboot both gateways on either

side of the tunnel The vpn tunnelutil command allows you to view

and clear SAs manually from Check Points tables

IKE_SA_table for IKE

Inbound_SPI and Outbound_SPI for IPSEC Tunnelutil is downloadable for early FW-1 versions


33/58

Next Time

IKE.elg example

Tunnelutil example

Packet trace example

Logging example

What about ClusterXL?

SecureRemote/Client debug

Reporting an issue to Check Point


34/58

This is the next time

Where do we begin?

Start with some graphical examples of IKE

and IPSEC Look at some ike.elg and vpnd.elg files

See two firewalls set up a tunnel

Look at some packet traces Review some relevant sk articles

Look at an actual troubleshooting process


35/58

IPSEC in Depth

IPSEC: RFC2401-2409, 2451, etc

What does it do?

Encapsulation (optional)

Encryption (optional)

Authentication

Integrity Protection

Replay Protection Key Management


36/58

IP Confidential

Data is signed by the sender in anunforgeable way

More accurately, forging wouldnt work, assignatures are verifiable against the creator

The Key management portion of IKE providessession negotiation and establishment, and

sessions can be re-keyed automatically Authentication can be performed in manyways


37/58

The key is the selector

A selector is a combination of parameters thatallows a gateway to define how it wishes to deal withinbound traffic

Selectors include: IP address or address range

A particular IP protocol number (UDP, OSPF)

A particular IP port number (500, 5000, etc)

Based on how a packet matches a selector, thegateway will protect (encrypt), drop, or bypass thepacket

Aka the pass, punt, or play decision


38/58

Lets get to the authentication

ESP is used by Check Point almostexclusively

Heres how it looks in Tunnel Mode:

New IP Header ESP Head

IP DATAIP Header

IP DATAOld IP Head ESP trailer ESP Auth

Authenticated and Encrypted


39/58

What does the header look like? Heres a picture:

Security Parameter Index

Sequence NumberInitialization Vector

Encrypted IP Header

UDP header (or whatever)

DATAData

Trailer: padding, pad ln

ESP Authentication

NEW IP HEADER

Padding

ESP Header

Encap. Header

ESP HeaderESP Header

ESP Trailer

Why padding? Some Algorithms (DES) require specific block sizes for Cipher Block Chaining,

which speeds encryption.


40/58

Initialization Vector?

In order to prevent similarities in your cipher,its a good idea to mix some data from the

last packet into the current packet. This prevents the same input from giving you

the same output all the time (easy to break)

The Initialization Vector is a chunk of the

prior packets data that is fed into the nextpackets data to jumble the output


41/58

OK- now for the meat..

IKE: RFC 2401

Uses SAs to track conversations

Three things are tracked by ike:Authentication algorithm and keys

Encryption algorithm and keys

Lifetimes for the encrypted conversations A selector is also defined in order to

specify what traffic the SA applies to


42/58

More details:

You dont really have to use IKE:

Enter many large ugly numbers

Keep track of them and keep them secret

Pass them from site to site

Change them secretly

Have fun!


43/58

Down to the packet level:

As we mentioned before, there are twomodes of operation: Main mode and QuickMode

Main mode authenticates and decides on theencryption algorithms

Quick Mode actually defines the tunnels,exchanges the keys, and establishes the SAs

Remember: IKE SAs are bidirectional,AH/ESP SAs are unidirectional


44/58

Main Mode

Key exchange uses Diffie Hellman method:public/private key pairs generated on the spot areused to initiate secure communication

The initial packets of Main Mode describe HOW D-Hwill be used (encryption strength, etc).

Not worth going into the math now, but assume thatDH is secure enough to pass the keys used for latercommunication

Once the secure keys are passed over the D-H link,then symmetric (non public/private) algorithms like3DES or AES are used to pass the secure traffic


45/58

Nuts and Bolts

Once the DH parameters are exchanged, thenthe key generation begins

Long computations to generate pseudo-random numbers, which are used astemporary keys

At this point, a secure channel has beencreated, keys have been defined, and thegateways can now enjoy a secure link but..

NO AUTHENTICATION HAS TAKEN PLACE


46/58

Authentication

After the DH establishment, after secure keygeneration and exchange, we tell eachother who weare

Can be done with hashed passwords, certificates, orraw public keys

Check Point only supports certs or passwords

The hashing method used for the passwords is setand negotiated between the gateways

Now that weve gone through secure channelgeneration and authentication, we can set up someSAs


47/58

QUICK MODE!

Four packets First packet: a bunch of crypto stuff from

initiator Second packet: a reply with more cryptostuff from the recipient

Third packet: Essentially an ACK from the

initiator Fourth packet: a second ACK to let the

initiator know its ok to start transmitting


48/58

QM part 2

Hash type, SA type (ESP), IP information (encryption domains/selectors)

ACK HASH

Optional return HASH

Hash type, SA type (ESP), IP information (encryption domains/selectors)


49/58

A bit more on selectors

Defines netmask granularity (0 to 32bit)

Can define port granularity The selector will show Protect for all

traffic in the tunnelotherwise it

wouldnt be there!


50/58

Ending the tunnel..

IKE can use a Delete message to killan SA, or vendors can use extensions of

the Notify message to describe errorstates

Check Point uses Notify often

SAs can be killed after a time orvolume-based parameter elapses

Can cause vendor issues

Ik Vi ( i !)


51/58

IkeView (again!)


52/58

RFCs: 2408/2409

2408: provides ISAKMP framework

2409 IKE Rfc

Both provide ascii header framework

C St d B


53/58

Case Study- Bogus.com User is having problems getting point to point vpn to

establish between gateways running traditional mode andsimplified mode vpn configs.

First thought: run vpn tu (both ways) to force manualtunnel establishment, while debugging. This should force atunnel entry in the debugs- ensure that certificates are

really being used

Determined that pre-shared secret was enabled on one ofthe gateways


54/58

Test1-fw can establish a VPN using Simplified toTraditional with Bgs-Cluster. Duplicating the rulebase for two active VPN's, bgs-Argentina-fw and bgs-Sydney-fw gives the same error as I had received inthe past. "Main Mode Validation timedout. Certificate, 0=fwman.smz23x". The initialphase from the remote firewall reports IKE: Mode

completion. One thing noticed is that comparingbgs-Test1-fw and bgs-Sdyney-fw is that after theinital exchange of keys are made, Sydney attemptsto connect to the management station usingservice FW1_ica_services serveral times andthen the Validation time out is recorded and noattempt from the bgs-cluster to connect to themanagement station at all.. When test1-fw initiatesthe exchange of keys, the Text1-fw and the bgs-Cluster connect to the management station using theFW1_ica_service.


55/58

More troubleshooting..

1. Translation between new firewall(Sydney r55) and Lowell. Was nottaking place - correct NAT rule, but no

IP Addresses!(Changed global properties - NATManual UNCHECK)Fixed.*Specified UNCHECK translate client

side / Manual NAT2. FP3 cannot use preshared's with R55.


56/58

Current issues

Current issue: Vpnd maxes out and restarts

Fixed in HFA 11 for R55 and HFA03 for R55P

Reason: Cyclic group reference

ps -auxw:USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND

root 541 81.9 12.5 21596 31636 ?? R 2:02PM 0:41.24 vpnd 0 (vpn)


57/58

Cyclic what?

Suppose you have remote user groups, and that youhave nested groups within groups (never a good idea)

Group A:

Subgroup 1

Subgroup 2

Subgroup 3

Subgroup 2:

Subgroup P

Subgroup Q

Group A


58/58

Thank You!

Cpug Ike1 Tutorial

Documents