ike debug

Background

Starting in R81.10, separate daemons handle different VPN connections.

Starting in R81.20, these are the responsibilities of the different daemons - vpnd, iked, and cccd:

Handles these VPN connections:

The VPN daemon on a Security Gateway listens on these ports:

  • Tunnel Test: 18234 (UDP)

  • L2TP: 1701 (UDP)

  • Check Point RDP: 259 (UDP)

  • Session infrastructure manager: 9996 (TCP)

The "vpnd" daemon is a child of the FWD daemon (see the $FWDIR/conf/fwauthd.conf file on a Security Gateway).

Introduced in the R81.10 version.

Handles these VPN connections:

  • All connections from IKE Remote Access clients (for example, Endpoint clients)

  • All IKE Site-to-Site connections from peer Security Gateways

  • Large Scale VPN (LSV) connections

  • Connections from SmartLSM ROBO gateways

Listens on these ports on a Security Gateway:

  • IKE: 30500 - 30563 (UDP)

  • IKE NAT-T: 34500 - 34563 (UDP)

  • Tunnel Test: 48234 - 48297 (UDP)

  • Check Point RDP: 30259 - 30322 (UDP)

  • L2TP: 31701 - 31764 (UDP)

CLI Syntax to control the IKE daemon "iked":

vpn iked {status | enable | disable | calc <Peer IP address>}

Starting in R81.20, there can be a maximum of 64 instances of the "iked" daemon that are calculated based on this formula:

Number of IKED instances = (Number of CoreXL Firewall Instances) / (Value of Kernel Parameter 'ike_num_instances_per_daemon')

Note - You can configure different values for the kernel parameter 'ike_num_instances_per_daemon'.

Introduced in the R81.10 version.

Responsible for the Client Communication Channel (CCC) protocol, while:

  • IKE for the same clients runs in the IKE daemon "iked"

  • The TLS layer of the CCC protocol for the same clients runs in the VPN daemon "vpnd"

CLI Syntax to control the CCC daemon "cccd":

vpn cccd {status | enable | disable}

The "cccd" daemon is a child of the FWD daemon (see the $FWDIR/conf/fwauthd.conf file on a Security Gateway).

Enabling and Disabling the IKE daemon "iked"

By default, the IKE daemon "iked" is enabled on the Security Gateway.

If you disable the IKE daemon "iked", then in such a legacy mode the VPN daemon "vpnd" handles all VPN connections.

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster..

2

Log in to the Expert mode.

3

Examine the current status:

vpn iked status

Possible outputs:

  • vpn: 'iked' is enabled

    Means the IKE daemon iked is enabled (new mode available in R81.10 and higher).

    This is the default.

    There is nothing else to do. Stop this procedure.

  • vpn: 'iked' is disabled

    Means the IKE daemon iked is disabled (legacy mode as works in R81 and lower).

    Proceed to the next step.

4

Enable the IKE daemon:

vpn iked enable

Important:

  • This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.

  • This command fetches the local policy (this may disconnect your SSH session).

  • This change survives reboot.

Step

Instructions

1

Connect to the command line on the Security Gateway / each ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

2

Log in to the Expert mode.

3

Examine the current status:

vpn iked status

Possible outputs:

  • vpn: 'iked' is enabled

    Means the IKE daemon iked is enabled (new mode in R81.10 and higher).

    This is the default.

    Proceed to the next step.

  • vpn: 'iked' is disabled

    Means the IKE daemon iked is disabled (legacy mode as works in R81 and lower).

    There is nothing else to do. Stop this procedure.

4

Disable the IKE daemon:

vpn iked disable

Important

  • This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.

  • This command fetches the local policy (this may disconnect your SSH session)

  • This change survives reboot.

Enabling and Disabling the CCC Daemon "cccd"

By default, the CCC daemon "cccd" is disabled on the Security Gateway.

In such a legacy mode, the VPN daemon vpnd handles all VPN connections.

If you enable the CCC daemon "cccd", then this dedicated daemon handles the Client Communication Channel protocol.

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster Member.

2

Log in to the Expert mode.

3

Examine the current status:

vpn cccd status

Possible outputs:

  • vpn: 'cccd' is enabled

    Means the CCC daemon cccd is enabled (new mode available in R81.10 and higher).

    There is nothing else to do. Stop this procedure.

  • vpn: 'cccd' is disabled

    Means the CCC daemon cccd is disabled (legacy mode as works in R81 and lower).

    This is the default.

    Proceed to the next step.

4

Enable the CCC daemon:

vpn cccd enable

Important:

  • This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.

  • This command fetches the local policy (this may disconnect your SSH session)

  • This change survives reboot.

Step

Instructions

1

Connect to the command line on the Security Gateway / each Cluster Member.

2

Log in to the Expert mode.

3

Examine the current status:

vpn cccd status

Possible outputs:

  • vpn: 'cccd' is enabled

    Means the CCC daemon cccd is enabled (new mode available in R81.10 and higher).

    Proceed to the next step.

  • vpn: 'cccd' is disabled

    Means the CCC daemon cccd is disabled (legacy mode as works in R81 and lower).

    This is the default.

    There is nothing else to do. Stop this procedure.

4

Disable the CCC daemon:

vpn cccd disable

Important

  • This command makes the required changes in the $FWDIR/boot/modules/fwkern.conf file.

  • This command installs the local policy(this may disconnect your SSH session).

  • This change survives reboot.

Description

The "ike debug" command instructs the IKE daemon "iked" to write debug messages to these log files:

File Description

Log File for each IKED instance

Main debug output file

$FWDIR/log/iked0.elg

$FWDIR/log/iked1.elg

... ...

$FWDIR/log/iked64.elg

IKEv1 output

$FWDIR/log/iked0.ikev1trace

$FWDIR/log/iked1.ikev1trace

... ...

$FWDIR/log/iked64.ikev1trace

IKEv2 output

$FWDIR/log/iked0.ikev2trace

$FWDIR/log/iked1.ikev2trace

... ...

$FWDIR/log/iked64.ikev2trace

Debugging of the IKE daemon "iked" is based on Debug Topics and Debug Levels:

  • A Debug Topic is a specific area, on which to perform debugging.

    Check Point Support provides the specific Debug Topics when needed.

  • Debug Levels range from 1 (least informative) to 5 (most informative - write all debug messages).

In addition, see vpn debug.

How to see the index number of an IKE daemon "iked" that handles a VPN connection

  1. Connect to the command line on the Security Gateway / each Cluster Member / Security Group.

  2. Log in to the Expert mode.

  3. Get the list of all VPN tunnels (see vpn tu tlist):

    vpn tu tlist -z

  4. Examine these items in the output:

    1. In the top section, examine the row "MSPI:".

      The number that appears after "d:" is the number of the IKE daemon "iked" instance.

    2. In the bottom section, the "Tunnel Mapping" summary shows the IKE daemon "iked" instance that handles this VPN tunnel.

Syntax

Best Practice - Use the command "vpn debug trunc ALL=5" that also enables the debug of the IKE daemon "iked" and of the CCC daemon "cccd". See sk180488.

ike debug

      on [<Debug_Topic>=<Debug_Level>]

      off

      ikeon [-s <Size_in_MB>]

      ikeoff

      [-i <IKED Index>] trunc [<Debug_Topic>=<Debug_Level>]

      truncon [<Debug_Topic>=<Debug_Level>]

      truncoff

      timeon [<Seconds>]

      timeoff

      ikefail [-s <Size_in_MB>]

      mon

      moff

      say ["String"]

      tunnel [<Level>]

Parameters

Parameter

Description

No Parameters

Shows the built-in usage.

on

Turns on high level IKE debug.

The debug writes the information in these files:

  • $FWDIR/log/iked<Index>.elg*

  • $FWDIR/log/iked<Index>.ikev1trace*

  • $FWDIR/log/iked<Index>.ikev2trace*

<Debug_Topic>=<Debug_Level>

Specifies the Debug Topic and the Debug Level.

Check Point Support provides these.

Best Practice - Run this command to start the debug:

ike debug trunc ALL=5

off

Turns off all IKE debug.

Best Practice - Run one of these commands to stop the IKE debug:

ike debug off

ike debug truncoff

ikeon [-s <Size_in_MB>]

Turns on the IKE trace.

The debug writes the information in these files:

$FWDIR/log/iked<Index>.elg*

You can specify the size of the output file, when to perform the log rotation (close the current activeClosed State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. file, rename it, open a new active file).

ikeoff

Turns off the IKE trace.

Run this command to stop the IKE trace:

ike debug ikeoff

trunc

or

truncon

This command:

  1. Rotates the $FWDIR/log/iked<Index>.elg file

  2. Rotates the $FWDIR/log/iked<Index>.ikev1trace* file

  3. Rotates the $FWDIR/log/iked<Index>.ikev2trace* file

  4. Starts the IKE daemon debug

Best Practice - Run this command to start the IKE debug:

ike debug trunc ALL=5

Note - Use the "-i <IKED Index>" option to start the IKE debug of a specific IKE daemon instance.

truncoff

Stops the IKE daemon debug.

Run one of these commands to stop the IKE debug:

ike debug truncoff

ike debug off

timeon [<Seconds>]

Enables the timestamp in the log files.

Prints one timestamp after the specified number of seconds.

By default, prints the timestamp every 10 seconds.

timeoff

Disables the timestamp in the log files every number of seconds.

ikefail [-s <Size_in_MB>]

Logs failed IKE negotiations.

You can specify the size of the output file, when to perform the log rotation (close the current active file, rename it, open a new active file).

mon

Enables the IKE Monitor.

Writes the IKE packets in this file:

$FWDIR/log/ikemonitor.snoop

Warning - The output file may contain user X-Auth passwords. Make sure the file is protected.

moff

Disables the IKE Monitor.

say "String"

Writes the specified text string in this file:

$FWDIR/log/iked<Index>.elg

For example, run:

ike debug say "BEGIN TEST"

Notes:

  • Run this command after you start the VPN debug (with one of these commands: "ike debug on", "ike debug trunc", or "ike debug truncon").

  • The length of the string is limited to 255 characters.

tunnel [<Debug_Level>]

This command:

  1. Rotates the $FWDIR/log/iked<Index>.elg file

  2. Starts the IKE daemon debug with these two Debug Topics:

    tunnel

    ikev2

    If the <Debug_Level> is 2,3,4 or 5, then also enables this Debug Topic:

    CRLCache

The debug writes the information in these files:

  • $FWDIR/log/iked<Index>.elg

  • $FWDIR/log/iked<Index>.ikev1trace*

  • $FWDIR/log/iked<Index>.ikev2trace*

Return Values