Recently I went through Check Point VPN troubleshooting process with IKEVIEW tool. To download ikeview tool, please click here or Support Center download link.
The IKEView utility is a Check Point tool created to assist in analysis of the ike.elg (IKEv1) and ikev2.xmll (IKEv2 – supported in R71 and above) files.ike.elg and ikev2.xmll files are useful for debugging Site-to-Site VPN and Check Point Remote Access Client encryption failures.
Enabling IKE debug mode on Security Gateway results in verbose encryption-traffic information being written to the $FWDIR/log/ike.elg or $FWDIR/log/ikev2.xmll file. The Security Gateway does not require a restart or reboot after enabling IKE debug mode. The output is written in text format, and can be read with plain-text editor, but is cumbersome to interpret. The IKEView utility’s GUI clearly designates IPSec Phase 1 and Phase 2 sections on a per-packet level for both IKEv1 and IKEv2
Here are some steps:
STEP 1
only Phase 2 may be needed depending on the networks being connected to.
select option 0 (Delete all IPSec+IKE SA’s for ALL peers and users)
Hit enter
[Expert@FW-CP1:0]# vpn debug ikeoff
Example 1: Successful Phase 1 and Phase 2 with correct encryption domain sent out
Example 2: Phase 1
Example 3: Wrong Encryption Domains sent out from Check Point
Other Commands:
fw tab -t vpn_enc_domain_valid -f -u
“Invalid ID” is a phase II error. During Phase II networks are exchanged along with Phase II authentication parameters. To confirm run the following command when trying to establish the tunnel:
fw tab -t vpn_enc_domain_valid -f -u
That command may not be helpful if you have many VPNs because it does not seperate the encryption domains. But basically this will list the encryption domains that the Checkpoint is sending out. If will probably be a larger subnet than what you have configured. If this is the case, search for “supernetting” in these forums. There are several ways to address the issue.
References:
Troubleshooting Checkpoint VPNs with IKEVIEW
Enabling IKE and VPN debugging