How do I debug VPND on Check Point ?

1. Check if connectivity exist between the 2 Gateway peers
2. VPN Debugging - Looking at the IKE negoatations
3. Can both sides see the IKE packets arriving during teh Key Exchange?

• IKE Process (2 Phases) 
• Phase 1 - Main Mode (6 Packets)
• Phase 2 - Quick Mode (3 Packets)
• Turn VPN Debug On - enter the command "vpn debug on; vpn debug ikeon" or "vpn debug trunc".
• The $FWDIR/log/ike.elg file contains information once debugging is enabled. Checkpoint has a tool IKEView.exe - it parse information of ike.elg
  
• If you run # vpn debug mon, the output file is ikemonitor.snoop. In this output file, all the IKE payloads are in clear. Whereas, in monitor.out, all the IKE payloads are encrypted. 
  Phase I
• Negotiates encryption methods (DES/3DES/AES etc)
• The key length
• The Hash Algorithm (MD5/SHA1)
• Creates a key to protect the messages of the exchange.

It does this in 5 stages:

1. Peers Authenticate using Certificates or a pre-shared secret.
2. Each peer generates a private Diffie-Hellman key from random bits and from that derives a DH public key. These are then exchanged.
3. Each peer generates a shared secret from its private key and its peers public key, this is the DH key.
4. The peers exchange DH Key material (random bits and mathematical data) and methods for PhaseII are agreed for encryption and integrity.

Each side generates a symmetric key (based upon the DH key and key material exchanged).

In IkeView under the IP address of the peer, open the Main Mode Packet 1 - expand :
> "P1 Main Mode ==>" for outgoing or "P1 Main Mode <==" for incoming > MM Packet 1 > Security Association > prop1 PROTO_ISAKMP > tran1 KEY_IKE

UNDERSTAND THE 5 PACKETS

1. If your encryption fails in Main Mode Packet 1, then you need to check your VPN communities.
2. Packet 2 ( MM Packet 2 in the trace ) is from the responder to agree on one encryption and hash algorithm.
3. Packets 3 and 4 arent usually used when troublshooting. They perform key exchanges and include a large number called a NONCE. The NONCE is a set of never before used random numbers sent to the other part, signed and returned to prove the parties identity.
4. Packets 5 and 6 perform the authentication between the peers. The peers IP address shows in the ID field under MM packet 5. Packet 6 shows that the peer has agreed to the proposal and has authorised the host initiating the key exchange.

NOTE:
1. If your encryption fails in Main Mode Packet 1, then you need to check your VPN communities.
2. If your encryption fails in Main Mode Packet 5, then you need to check the authentication - Certificates or pre-shared secrets

PHASE II
The IPSec Security Associations (SAs) are negotiated,

- The shared secret key material used for the SA is determined and there is an additional DH exchange.
- Phase II failures are generatlly due to a misconfigured VPN domain.
- Phase II occurs in 3 stages:
1. Peers exchange key material and agree encryption and integrity methods for IPSec.
2. The DH key is combined with the key material to produce the symmetrical IPSec key.
3. Symmetric IPSec keys are generated.   To debug VPND run the following command :

vpn debug trunc

To disable the debug run the commands :

vpn debug off; vpn debug ikeoff

To view the logs run the command :

cd $FWDIR/log ; tail -f ike.elg vpnd.elg