CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: TCPdump on VTI not working (R77.30)

  1. #1
    Join Date
    2019-04-02
    Posts
    2
    Rep Power
    0

    Default TCPdump on VTI not working (R77.30)

    Hello CPUG!

    I created a route based vpn on R77.30 cluster with a Juniper SRX on the remote side. For this I needed to make a VTI (vpnt1), the Community and static routes following the admin guide and sk. Everything works fine, ping goes back and forth, policies are okay.

    The only problem I face, that I cannot use tcpdump (tcpdump -n -i vpnt1) on the vpnt1 interface and I haven't found any clues in manuals or sk regarding this.

    I can see the traffic nicely with 'fw monitor'.
    I've tried to use 'fwaccel off' command, but then tcpdump doesn't respond (not starting like in normal case).

    Should tcpdump on VTI work at all on Checkpoint or not? It is working on linux.

    Thanks,
    ChkM4te

  2. #2
    Join Date
    2019-04-02
    Posts
    2
    Rep Power
    0

    Default Re: TCPdump on VTI not working (R77.30)

    Hi all,

    I thought I share my experience, because I could manage some kind of solution in the last days.

    I have found this https://supportcenter.checkpoint.com...ionid=sk141412

    The key is the cppcap command - with this utility you can dump even virtual interfaces, for example:

    cppcap -v vpnt1 -f "host XXX.XXX.XXX.XXX" -DNT -o /var/log/capture.pcap

    With this command all the traffic is nicely visible, even on virtual interfaces. The format is a standard pcap, so you can use it for analyzing the packets after recording.


    One more thing is worth to share, as we are talking about VTI and route based VPN:
    It is written in 99% of the manuals/tutorials, that in case of route based VPN you have to change the subnets in the community to 0.0.0.0, even your own side VPN Domain (from which you can define only one in Checkpoint). In some cases it is written that this is only for route based decision to TAKE PRECEDENCE before any domain based VPN traffic decision. I haven't found anywhere that you don't have to do this - it might help to use less coumputer resource, but route based VPN WILL WORK even if you already have some networks/groups in your VPN domain. I just thought it's good to write this down, as not everybody can have a test-lab to check these settings and nobody wants to ruin a productive firewall environment with a global setting change.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    299
    Rep Power
    13

    Default Re: TCPdump on VTI not working (R77.30)

    Quote Originally Posted by ChkM4te View Post
    One more thing is worth to share, as we are talking about VTI and route based VPN:
    It is written in 99% of the manuals/tutorials, that in case of route based VPN you have to change the subnets in the community to 0.0.0.0, even your own side VPN Domain (from which you can define only one in Checkpoint). In some cases it is written that this is only for route based decision to TAKE PRECEDENCE before any domain based VPN traffic decision. I haven't found anywhere that you don't have to do this - it might help to use less coumputer resource, but route based VPN WILL WORK even if you already have some networks/groups in your VPN domain. I just thought it's good to write this down, as not everybody can have a test-lab to check these settings and nobody wants to ruin a productive firewall environment with a global setting change.
    It's more that the domain-based VPN decision happens very early in packet processing, and you need to ensure that won't flag the packet for encryption. You can mix domain-based and route-based VPNs. Just use the empty encryption domain for the remote peers you want to be route-based, and you'll be fine.

    Note: I don't think you can have some domain-based VPN exchanges and some route-based with the same peer. Sending the traffic would work, but when the firewall received an encrypted packet, it wouldn't know whether to apply domain-based rules, or to decrypt it and put it on the VTI.
    Zimmie

Similar Threads

  1. Replies: 24
    Last Post: 2016-07-19, 10:30
  2. ESP not showing up in TCPDUMP
    By cpguy in forum R77.20
    Replies: 7
    Last Post: 2016-03-02, 23:25
  3. fw monitor / tcpdump
    By sirjune in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2012-05-26, 13:57
  4. fw monitor & tcpdump
    By mhernandez in forum fw monitor, tcpdump and Wireshark
    Replies: 5
    Last Post: 2011-09-24, 17:12
  5. Tcpdump question?
    By klouse in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2006-08-31, 15:49

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •