8/2/2019 Cpug Ike1 Tutorial
1/58
CPUG: THE CHECK POINT USER
GROUP
How to Debug
IKE and IPSECAn Abbreviated Guide
ByWarren Verbanec
8/2/2019 Cpug Ike1 Tutorial
2/58
Your Host
Warren Verbanec
UCDavis graduate
Silicon Valley Local Two years in Nokias
Product LineSupport group
Hello Everybody!
8/2/2019 Cpug Ike1 Tutorial
3/58
Goals for tonight
Eat free food
Win raffle
Discuss how Check Point implementsIKE and IPSec
Review available troubleshooting tools
Provide practical examples
8/2/2019 Cpug Ike1 Tutorial
4/58
First, a bit of review
What is IKE and IPSEC (in our context)?
Generally speaking, IKE is a method for
securely exchanging encryption ciphersthat will be used in a later encryptedsession
IPSec is an overall term used to describeencrypted data communication over IP,using the keys exchanged with IKE
8/2/2019 Cpug Ike1 Tutorial
5/58
This is Part One
IKE and IPSec is a huge topic. Theres nofeasible way to cover it in of an hour
Therefore, Part One will provide a basicintroduction to only the concepts required towork with Check Point debugging
Part Two will provide hands-on examples oftroubleshooting the application
Part Two will be presented next month
8/2/2019 Cpug Ike1 Tutorial
6/58
Whats the big deal?
These are complex protocols ratified bymultiple international bodies
Lots of configurable parameters Generally define a framework for security,
while allowing for advances in cryptography
MD5 collision demonstates need for expandability
http://eprint.iacr.org/2004/199.pdf
Thus, debugging and configuration is hard
http://eprint.iacr.org/2004/199.pdfhttp://eprint.iacr.org/2004/199.pdf8/2/2019 Cpug Ike1 Tutorial
7/58
How does encryption work?
In its basic form, cryptography entails the addition oftwo messages to make a new, unreadable message
Message1 + Key Message = Cipher
If you know the Key Message, you can decode the
cipher by subtracting the Key information from thecipher
Computers are good at this, and can do it veryquickly- say, on a packet by packet basis
But this means that you have to keep the secret keysafe
This makes the process difficult- generally speaking,if you lose the key to the bad guys, ALL informationever encrypted with that key is now readable
8/2/2019 Cpug Ike1 Tutorial
8/58
Basic crypto applications
Algorithms: DES, AES, 3DES
Used for actual reversible encryption
non-entropic, reversible operations
Requires a unique secret key for the encryptor anddecryptor
Hashes: SHA-1, MD5
Used to generate a unique mathematical summary valuefor a given dataset
Entropic, non-reversible operation Used to authenticate a data set
Can be combined with a secret key value to create acustom Hash- ensures that your hash was created bysomeone you trust.
8/2/2019 Cpug Ike1 Tutorial
9/58
How does SSL differ?
SSL is based on PKI, which uses public/private keypairs- using entirely different math
Designed to enable secure transfer of data (like atemporary crypto key) to someone you dont
necessarily trust IKE/IPSec does not use PKI, as it is inherently less
safe- and designed for e-commerce use
Actually, PKI-like key exchange is used in somelimited ways in IKE, but the core of IPSec is notbased on public/private key exchange
A discussion of PKI is beyond the scope of thispresentation
A good PKI tutorial is:
http://www.opengroup.org/messaging/G260/pki_tutorial.htm
8/2/2019 Cpug Ike1 Tutorial
10/58
That being said PKI uses public/private key pairs
Anything encrypted with the private key is readable with thepublic key
Anything encrypted with the public key is readable with theprivate key
Anything encrypted with the public key is NOT readable withthe public key
The core of IPSec uses a single key- anything encrypted with itis readable only with the same key
Diffie-Hellman key exchange, and PKI certificates are used inIKE and IPSec, but in a limited way by Check Point
The extent to which public/private key exchange is used inIPSec will be discussed later
8/2/2019 Cpug Ike1 Tutorial
11/58
So, how does a Hash fit in?
A cryptographic hash is used to derive amathematical summary value for a set ofdata
Data hashed with a particular algorithmgenerates a unique output value
This value has a one-to-one correlation with
its data set- this ensures that if a data set isaltered, its hash value will change
This is good for ensuring data integrity
8/2/2019 Cpug Ike1 Tutorial
12/58
Diffie-Hellman is key! Remember, the problem is not just encrypting the
messages- its keeping your keys safe in the longterm This is accomplished by renegotiating keys often in IPSec-
this compartmentalizes the encryption and data exchange This means that secret keys must be exchanged often
Diffie-Hellman key exchange defines how to usepublic/private key pairs to transport your secret keys
D-H group numbers define the strength of thepublic/private key encryption used- Check Point justadded new Group support in HFA 55_10
8/2/2019 Cpug Ike1 Tutorial
13/58
And now, IPSec!
There are three parts to IPSec:AH- authentication header- provides
session security at a sophisticated levelby checking data integrity and protectingagainst replay attacks
ESP- encapsulating security payload-
provides the bulk data encryption method IKE- handles the exchange of secret keys
used in the prior two categories
8/2/2019 Cpug Ike1 Tutorial
14/58
AH
In the operational mode used in VPNs, AHwraps an IP packet (header and all) in anencryption envelope, then adds a new IP
header This process is performed at a VPN gateway,and is undone at the terminating gateway atthe other end of the secure tunnel
AH uses IP Protocol 51- so its not UDP orTCP
AH is not too relevant to the Check Pointworld
8/2/2019 Cpug Ike1 Tutorial
15/58
More AH
AH has several fields in its header: Security Parameter Index is a numeric
identifier that specifies a particular logical
connection This SPI is tracked on the gateways along with
the encryption parameters associated with it(hash algorithm, bulk encryption algorithm,other parameters)
Sequence number field is used to trackindividual packets Optionally used to protect against replay attacks
8/2/2019 Cpug Ike1 Tutorial
16/58
ESP
ESP is used for the bulk encryption
Its basically an algorithm-encrypted packet inside
a PKI signature wrapper for authenticity ESP uses IP protocol 50 for the transport- this is
what you commonly see in packet traces of tunneltraffic
Has a SPI field, like AH, as well as the optionallyutilized sequence number in its header
ESP is the core method for bulk VPN datatransmission with Check Point
8/2/2019 Cpug Ike1 Tutorial
17/58
ESP again
A new term: Each logical session that utilizesa unique SPI is referred to as a security
association or SA And to clarify: AH is used by the encryption
stack to verify data integrity, while ESP isused to perform the actual transport of the
encrypted data You will generally see a single ESP packet for
each encrypted packet inside the tunnel
8/2/2019 Cpug Ike1 Tutorial
18/58
IKE IKE is the glue that binds ESP and HA
It is the protocol that handles the initial keyexchanges between gateways on either side
of a VPN tunnel
It defines the parameters utilized for an SA
The number of parameters that can be
defined by the IKE process is staggering- butCheck Point only uses a small subset
8/2/2019 Cpug Ike1 Tutorial
19/58
SAs
SAs are the heart of debugging a VPN tunnel
If you can understand the IKE initialization
process, you will be able to track whereindividual SAs are breaking
SAs are unidirectional (why is this nevermentioned anywhere?)
Remember: the SPI is the actual numberwe are referring to when we look at SAs
8/2/2019 Cpug Ike1 Tutorial
20/58
Understanding IKE Better IKE is a collective term for ISAKMP and Oakley
IKE establishes its own logical SA for its keyexchanges but this one is BIDIRECTIONAL
IKE uses UDP port 500, although you can force theuse of TCP
NOTE: IKE generally cannot be NATted, as the IPaddresses used by each participating gateway aretracked, and NAT looks like a replay attack
But this only applies to NAT of the IPSec traffic itself(post-encryption). Traffic can be NATted by thefirewall prior to being encrypted
However, many problems can occur while definingNATted encryption domains
8/2/2019 Cpug Ike1 Tutorial
21/58
The guts of key exchange
Sending Gateway determines a packet needs to be encrypted
Sending Gateway opens an IKE session with the Receivinggateway- this step defines the IKE SA
Diffie-Hellman key exchange uses hashing of a certificate orshared secret to authenticate each gateway, and sets up apublic/private data exchange channel
Sending and Receiving Gateways exchange protocol settings,algorithm settings, and secret keys using PKI
A new IPSec SA is defined for the ESP tunnel, and data begins
to be transferred New term: Selector- a logical construct similar to a route, that
allows the gateway to determine if an inbound packet is to beencrypted and passed over a particular SA
8/2/2019 Cpug Ike1 Tutorial
22/58
IKE Phases
Phase One is used to actually to the work ofexchanging and negotiating the parameters that willbe used Can be done in the full Main Mode way, or an abbreviated
Aggressive Mode, where some encryption security steps
are skipped. Aggressive mode is not recommended, as it doesnt really
save you much time (IKE is done irregularly)
Phase Two (aka Quick Mode) is used to negotiate theSAs that will be used for later communication Quick Mode does not mean the same thing as aggressive
mode
8/2/2019 Cpug Ike1 Tutorial
23/58
IKE Parameters
Check Point gateways require the followinginformation to be set for each tunnel:
Bulk encryption algorithm for the ESP session Hash algorithms used in the IKE authentication
Diffie-Hellman group to be used
What the authentication source will be: Certificate
or Shared Secret Other miscellaneous stuff (SA definitions on a per-
network basis, etc..)
8/2/2019 Cpug Ike1 Tutorial
24/58
IKE packets
When you sniff IKE, youll usually see: Six packets for Phase One Main Mode
Three for the forbidden Aggressive Mode Three or Four packets for Phase Two
These steps are computation-intensive,and so they take a while
An aside: what is Perfect ForwardSecrecy? Nothing you need.
8/2/2019 Cpug Ike1 Tutorial
25/58
Tunnel Test? At the end of IKE establishment, vpnd
attempts to send some ICMP traffic acrossthe tunnel. If the packet does not arrive, or ifthe IP addresses are mangled (not encryptedwhen sent, etc..), the gateway will report
tunnel test failed
This often fails due to NAT or encryptiondomain issues
What is an encryption domain? The set ofnetwork addresses that are defined to beavailable on one side of a particular tunnel
8/2/2019 Cpug Ike1 Tutorial
26/58
A final word on SAs SAs have a lifetime. The protocol
specification itself recommends several waysof doing this. Some vendors (Cisco) have
calculated lifetimes on a amount of trafficacross the tunnel basis. Check Point andmost everyone else does it on a time sincesession establishment basis
The point of having a lifetime is to forcerenegotiation of the secret keys on a regularbasis- thus increasing security
Any gateway that participates in an IPSec
session can manually end its own SAs
8/2/2019 Cpug Ike1 Tutorial
27/58
A bit more explanation..
Certificates are part of PKI, but you can usethem to authenticate a gateway in IKE
This is a limited utilization of PKI- and thecertificates are typically not public CAgenerated
Certificates are generally a better method of
security, as they have a set expiration date,and can be tracked centrally at a CA
Also, certificates are a larger data set fromwhich the authentication hash is generated-
thus increasing security
8/2/2019 Cpug Ike1 Tutorial
28/58
Its 2AM
So, your VPNs downwhat do you do?
I personally have a bit of a flowchart I follow,
with increasing levels of interference innetwork operations
Thats the real trade-offwhat do you reboot,and what will it effect?
Often, config is the culprit, but CP isnotorious for VPN bugs (although better inR55)
8/2/2019 Cpug Ike1 Tutorial
29/58
Bugs? What Bugs?
R55_10-14 FireWall-1
When a large database
was employed, vpnd
utlilized 100% of the
cpu and then exited
during:
initializaton
policy install,
simulaneous IKE with
many DAIP objects.
8/2/2019 Cpug Ike1 Tutorial
30/58
So..What to do?
Check Point provides several tools for debuggingVPNs
CLI commands:
vpn debug ikeon is the most valuable This generates IKE.elg
vpn debug on generates vpnd.elg
IKE.elg is the most important- and Check Point
provides a tool for translating its gibberish: Ikeview This is part of the infoview package available on their
support site to CSPs
8/2/2019 Cpug Ike1 Tutorial
31/58
Ikeview
Breaks down Phase One and Two on a per-packet basis
Useful for seeing mismatches in configuration Be sure to use the latest version of Infoview
(3.5.3x) available from Check Point
You will need to be a CSP to get access- talkto your Sales rep if you are an enterprisecustomer
8/2/2019 Cpug Ike1 Tutorial
32/58
Out of time? Uh-Oh
Perform vmstat and psaux to see if vpnd is hoggingresources
If so, HUP vpnd, or reboot both gateways on either
side of the tunnel The vpn tunnelutil command allows you to view
and clear SAs manually from Check Points tables
IKE_SA_table for IKE
Inbound_SPI and Outbound_SPI for IPSEC Tunnelutil is downloadable for early FW-1 versions
8/2/2019 Cpug Ike1 Tutorial
33/58
Next Time
IKE.elg example
Tunnelutil example
Packet trace example
Logging example
What about ClusterXL?
SecureRemote/Client debug
Reporting an issue to Check Point
8/2/2019 Cpug Ike1 Tutorial
34/58
This is the next time
Where do we begin?
Start with some graphical examples of IKE
and IPSEC Look at some ike.elg and vpnd.elg files
See two firewalls set up a tunnel
Look at some packet traces Review some relevant sk articles
Look at an actual troubleshooting process
8/2/2019 Cpug Ike1 Tutorial
35/58
IPSEC in Depth
IPSEC: RFC2401-2409, 2451, etc
What does it do?
Encapsulation (optional)
Encryption (optional)
Authentication
Integrity Protection
Replay Protection Key Management
8/2/2019 Cpug Ike1 Tutorial
36/58
IP Confidential
Data is signed by the sender in anunforgeable way
More accurately, forging wouldnt work, assignatures are verifiable against the creator
The Key management portion of IKE providessession negotiation and establishment, and
sessions can be re-keyed automatically Authentication can be performed in manyways
8/2/2019 Cpug Ike1 Tutorial
37/58
The key is the selector
A selector is a combination of parameters thatallows a gateway to define how it wishes to deal withinbound traffic
Selectors include: IP address or address range
A particular IP protocol number (UDP, OSPF)
A particular IP port number (500, 5000, etc)
Based on how a packet matches a selector, thegateway will protect (encrypt), drop, or bypass thepacket
Aka the pass, punt, or play decision
8/2/2019 Cpug Ike1 Tutorial
38/58
Lets get to the authentication
ESP is used by Check Point almostexclusively
Heres how it looks in Tunnel Mode:
New IP Header ESP Head
IP DATAIP Header
IP DATAOld IP Head ESP trailer ESP Auth
Authenticated and Encrypted
8/2/2019 Cpug Ike1 Tutorial
39/58
What does the header look like? Heres a picture:
Security Parameter Index
Sequence NumberInitialization Vector
Encrypted IP Header
UDP header (or whatever)
DATAData
Trailer: padding, pad ln
ESP Authentication
NEW IP HEADER
Padding
ESP Header
Encap. Header
ESP HeaderESP Header
ESP Trailer
Why padding? Some Algorithms (DES) require specific block sizes for Cipher Block Chaining,
which speeds encryption.
8/2/2019 Cpug Ike1 Tutorial
40/58
Initialization Vector?
In order to prevent similarities in your cipher,its a good idea to mix some data from the
last packet into the current packet. This prevents the same input from giving you
the same output all the time (easy to break)
The Initialization Vector is a chunk of the
prior packets data that is fed into the nextpackets data to jumble the output
8/2/2019 Cpug Ike1 Tutorial
41/58
OK- now for the meat..
IKE: RFC 2401
Uses SAs to track conversations
Three things are tracked by ike:Authentication algorithm and keys
Encryption algorithm and keys
Lifetimes for the encrypted conversations A selector is also defined in order to
specify what traffic the SA applies to
8/2/2019 Cpug Ike1 Tutorial
42/58
More details:
You dont really have to use IKE:
Enter many large ugly numbers
Keep track of them and keep them secret
Pass them from site to site
Change them secretly
Have fun!
8/2/2019 Cpug Ike1 Tutorial
43/58
Down to the packet level:
As we mentioned before, there are twomodes of operation: Main mode and QuickMode
Main mode authenticates and decides on theencryption algorithms
Quick Mode actually defines the tunnels,exchanges the keys, and establishes the SAs
Remember: IKE SAs are bidirectional,AH/ESP SAs are unidirectional
8/2/2019 Cpug Ike1 Tutorial
44/58
Main Mode
Key exchange uses Diffie Hellman method:public/private key pairs generated on the spot areused to initiate secure communication
The initial packets of Main Mode describe HOW D-Hwill be used (encryption strength, etc).
Not worth going into the math now, but assume thatDH is secure enough to pass the keys used for latercommunication
Once the secure keys are passed over the D-H link,then symmetric (non public/private) algorithms like3DES or AES are used to pass the secure traffic
8/2/2019 Cpug Ike1 Tutorial
45/58
Nuts and Bolts
Once the DH parameters are exchanged, thenthe key generation begins
Long computations to generate pseudo-random numbers, which are used astemporary keys
At this point, a secure channel has beencreated, keys have been defined, and thegateways can now enjoy a secure link but..
NO AUTHENTICATION HAS TAKEN PLACE
8/2/2019 Cpug Ike1 Tutorial
46/58
Authentication
After the DH establishment, after secure keygeneration and exchange, we tell eachother who weare
Can be done with hashed passwords, certificates, orraw public keys
Check Point only supports certs or passwords
The hashing method used for the passwords is setand negotiated between the gateways
Now that weve gone through secure channelgeneration and authentication, we can set up someSAs
8/2/2019 Cpug Ike1 Tutorial
47/58
QUICK MODE!
Four packets First packet: a bunch of crypto stuff from
initiator Second packet: a reply with more cryptostuff from the recipient
Third packet: Essentially an ACK from the
initiator Fourth packet: a second ACK to let the
initiator know its ok to start transmitting
8/2/2019 Cpug Ike1 Tutorial
48/58
QM part 2
Hash type, SA type (ESP), IP information (encryption domains/selectors)
ACK HASH
Optional return HASH
Hash type, SA type (ESP), IP information (encryption domains/selectors)
8/2/2019 Cpug Ike1 Tutorial
49/58
A bit more on selectors
Defines netmask granularity (0 to 32bit)
Can define port granularity The selector will show Protect for all
traffic in the tunnelotherwise it
wouldnt be there!
8/2/2019 Cpug Ike1 Tutorial
50/58
Ending the tunnel..
IKE can use a Delete message to killan SA, or vendors can use extensions of
the Notify message to describe errorstates
Check Point uses Notify often
SAs can be killed after a time orvolume-based parameter elapses
Can cause vendor issues
Ik Vi ( i !)
8/2/2019 Cpug Ike1 Tutorial
51/58
IkeView (again!)
8/2/2019 Cpug Ike1 Tutorial
52/58
RFCs: 2408/2409
2408: provides ISAKMP framework
2409 IKE Rfc
Both provide ascii header framework
C St d B
8/2/2019 Cpug Ike1 Tutorial
53/58
Case Study- Bogus.com User is having problems getting point to point vpn to
establish between gateways running traditional mode andsimplified mode vpn configs.
First thought: run vpn tu (both ways) to force manualtunnel establishment, while debugging. This should force atunnel entry in the debugs- ensure that certificates are
really being used
Determined that pre-shared secret was enabled on one ofthe gateways
8/2/2019 Cpug Ike1 Tutorial
54/58
Test1-fw can establish a VPN using Simplified toTraditional with Bgs-Cluster. Duplicating the rulebase for two active VPN's, bgs-Argentina-fw and bgs-Sydney-fw gives the same error as I had received inthe past. "Main Mode Validation timedout. Certificate, 0=fwman.smz23x". The initialphase from the remote firewall reports IKE: Mode
completion. One thing noticed is that comparingbgs-Test1-fw and bgs-Sdyney-fw is that after theinital exchange of keys are made, Sydney attemptsto connect to the management station usingservice FW1_ica_services serveral times andthen the Validation time out is recorded and noattempt from the bgs-cluster to connect to themanagement station at all.. When test1-fw initiatesthe exchange of keys, the Text1-fw and the bgs-Cluster connect to the management station using theFW1_ica_service.
8/2/2019 Cpug Ike1 Tutorial
55/58
More troubleshooting..
1. Translation between new firewall(Sydney r55) and Lowell. Was nottaking place - correct NAT rule, but no
IP Addresses!(Changed global properties - NATManual UNCHECK)Fixed.*Specified UNCHECK translate client
side / Manual NAT2. FP3 cannot use preshared's with R55.
8/2/2019 Cpug Ike1 Tutorial
56/58
Current issues
Current issue: Vpnd maxes out and restarts
Fixed in HFA 11 for R55 and HFA03 for R55P
Reason: Cyclic group reference
ps -auxw:USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 541 81.9 12.5 21596 31636 ?? R 2:02PM 0:41.24 vpnd 0 (vpn)
8/2/2019 Cpug Ike1 Tutorial
57/58
Cyclic what?
Suppose you have remote user groups, and that youhave nested groups within groups (never a good idea)
Group A:
Subgroup 1
Subgroup 2
Subgroup 3
Subgroup 2:
Subgroup P
Subgroup Q
Group A
8/2/2019 Cpug Ike1 Tutorial
58/58
Thank You!