Firewall Fehlerdiagnose/en: Unterschied zwischen den Versionen

Aus TERRA CLOUD WIKI

(Die Seite wurde neu angelegt: „If the firewall becomes inaccessible, you can troubleshoot the firewall using the console connection (https://manage.terracloud.de/):<br> <br> Here the access data can be used like on the web interface.<br> border|Firewall login mask <br> <br> The network configuration is displayed using the command <b><i>interface address get</i></b> <br> border|interface address get<br> <br> The network objects (nodes) a…“)
 
(Die Seite wurde neu angelegt: „=== If the tunnel is open but no traffic is going through, check the following on both sides: ===“)
 
Zeile 59: Zeile 59:
This may not be allowed in the port filter or a DESTNAT directs the traffic past the server.
This may not be allowed in the port filter or a DESTNAT directs the traffic past the server.
<br>
<br>
<div lang="de" dir="ltr" class="mw-content-ltr">
<span id="Wenn_der_Tunnel_steht,_aber_kein_Traffic_durchgeht,_ist_folgendes_auf_beiden_Seiten_zu_prüfen:"></span>
=== Wenn der Tunnel steht, aber kein Traffic durchgeht, ist folgendes auf beiden Seiten zu prüfen: ===
=== If the tunnel is open but no traffic is going through, check the following on both sides: ===
</div>


<div lang="de" dir="ltr" class="mw-content-ltr">
* Routes
* Routen
* Port filters / implicit rules
* Portfilter / Implizite Regeln
* Packet filter log
* Paketfilter-Log
* Verify via TCPDUMP that there really is no traffic going over the tunnel. <font color="red">(Must be requested via Support@terracloud.de)</font>
* Über TCPDUMP nachvollziehen, dass auch wirklich kein Traffic über den Tunnel geht. <font color="red">(Muss über Support@terracloud.de angefragt werden)</font>
Often end devices simply do not respond despite traffic.
Oft antworten auch Endgeräte trotz Traffic einfach nicht.
<span id="Wenn_Traffic_über_den_Tunnel_läuft,_aber_es_allgemeine_Verbindungsprobleme_gibt,_ist_folgendes_zu_prüfen:"></span>
</div>
=== If traffic is running over the tunnel but there are general connection problems, check the following: ===
<div lang="de" dir="ltr" class="mw-content-ltr">
=== Wenn Traffic über den Tunnel läuft, aber es allgemeine Verbindungsprobleme gibt, ist folgendes zu prüfen: ===
</div>


<div lang="de" dir="ltr" class="mw-content-ltr">
* Internet connection between both endpoints
* Internetverbindung zwischen beiden Endpunkten
* There are also a few adjustment screws to achieve good VPN quality despite poor internet connection.
* Zusätzlich gibt es ein paar Stellschrauben, um trotz schlechter Internetanbindung noch eine gute VPN-Qualität zu erzielen.
Here you have to test something and see what achieves the desired effect.<br>
Hier muss man sich etwas durchtesten und schauen, was den gewünschten Effekt erzielt.<br>
These include:
Dazu zählen:
# MTU → Reduce value to 1400 or lower as a test
# MTU → Wert testweise auf 1400 oder niedriger reduzieren
# Increase replay values ideally double them straight away
# Replay-Werte erhöhen am besten direkt verdoppeln
# Switch protocol from UDP to TCP
# Protokoll von UDP auf TCP umstellen
<br>
<br>
</div>
<span id="IPSec_S2S_Probleme"></span>
<div lang="de" dir="ltr" class="mw-content-ltr">
== IPSec S2S problems ==
== IPSec S2S Probleme ==
</div>


<div lang="de" dir="ltr" class="mw-content-ltr">
<span id="Baut_sich_der_Tunnel_nicht_auf,_ist_folgendes_auf_beiden_Seiten_zu_prüfen:"></span>
=== Baut sich der Tunnel nicht auf, ist folgendes auf beiden Seiten zu prüfen: ===
=== If the tunnel does not build, check the following on both sides: ===
</div>


<div lang="de" dir="ltr" class="mw-content-ltr">
* Certificates
* Zertifikate
* Cipher + Hash – generally compare the IKE values, PSK etc. from phases 1 and 2
* Cipher + Hash – generell die IKE-Werte, PSK usw. aus Phase 1 und 2 vergleichen
The firmware version is also crucial here.<br>
Hier ist auch die Firmwareversion entscheidend.<br>
New versions may no longer support old ciphers.<br>
Neue Versionen unterstützen unter Umständen keine alten Cipher mehr.<br>
Therefore, in the best case scenario, client and server should be on the same firmware version.<br>
Daher sollte Client und Server im besten Fall auf demselben Firmwarestand sein.<br>
* IP + Ids + start behavior in phase 1 of the tunnel
* IP + Ids + Startverhalten in Phase 1 des Tunnels
<br>
<br>
</div>
<span id="Wenn_der_Tunnel_steht,_aber_kein_Traffic_durchgeht,_ist_folgendes_auf_beiden_Seiten_zu_prüfen"></span>
<div lang="de" dir="ltr" class="mw-content-ltr">
=== If the tunnel is open but no traffic is going through, check the following on both sides ===
=== Wenn der Tunnel steht, aber kein Traffic durchgeht, ist folgendes auf beiden Seiten zu prüfen ===
</div>


<div lang="de" dir="ltr" class="mw-content-ltr">
* Port filters / implicit rules
* Portfilter / Implizite Regeln
NAT in particular causes problems with IPSEC.<br>
Besonders NAT macht bei IPSEC Probleme.<br>
For this purpose, it is best to always have “No NAT for IPSec connections” active in the “implicit rules”.
Dafür sollte in den „impliziten Regeln“ am besten immer „Kein NAT für IPSec Verbindungen“ aktiv sein.
* Packet filter log
* Paketfilter-Log
* Here too, it may be that the packet goes into the tunnel but the end device does not respond.
* Auch hier kann es sein, dass das Paket in den Tunnel geht aber das Endgerät nicht antwortet.  
** However, IPSec does not have a dedicated interface on which one could execute a TCPDUMP.
** IPSec hat allerdings kein dediziertes Interface, auf dem man einen TCPDUMP ausführen könnte.  
The best way to check whether a packet is going into the tunnel is as follows:
Ob ein Paket in den Tunnel geht, prüft man daher am besten so:
# Send a ping to the remote network with a packet size on a device that is in the local UTM network.
# Auf einem Gerät, dass sich im lokalen Netz der UTM befindet, einen Ping zum Remote Netzwerk mit einer Paketgröße absetzen.  
## On Windows: ping $target-IP$ -l 1000
## Bei Windows : ping $Ziel-IP$ -l 1000  
## For Linux: ping $target-IP$ -s 1000<br>
## Bei Linux: ping $Ziel-IP$ -s 1000<br>
# Now you send a TCPDUMP on the UTM interface over which the tunnel is set up. Packages of the appropriate size should then be visible here.
# Nun setzt man einen TCPDUMP auf dem UTM Interface, über das der Tunnel aufgebaut ist ab. Hier müssten dann Pakete mit der entsprechenden Größe zu sehen sein.
# Example for TCPDUMP: tcpdump -i $Interface$ -nnp port 500 or port 4500 or esp and host $IP_der_Gegenstelle$
# Beispiel für TCPDUMP: tcpdump -i $Interface$ -nnp port 500 or port 4500 or esp and host $IP_der_Gegenstelle$
<br>
<br>
</div>
<span id="Wenn_Traffic_über_den_Tunnel_läuft_aber_es_allgemeine_Verbindungsprobleme_gibt,_ist_folgendes_zu_prüfen:"></span>
<div lang="de" dir="ltr" class="mw-content-ltr">
=== If traffic is running over the tunnel but there are general connection problems, check the following: ===
=== Wenn Traffic über den Tunnel läuft aber es allgemeine Verbindungsprobleme gibt, ist folgendes zu prüfen: ===
</div>


<div lang="de" dir="ltr" class="mw-content-ltr">
Basically, the current setting recommendations should be set.<br>
Grundsätzlich sollten die aktuellen Einstellungsempfehlungen gesetzt werden.<br>
The key data for this are:
Die Eckdaten dafür sind:
* IKEv2
* IKEv2
* Startoption Route + flag GENERATE_TRAFFIC
* Start option route + flag GENERATE_TRAFFIC
* „ike_lifetime“ auf „0“ und „ike_rekeytime“ auf „2“ setzen
* Set “ike_lifetime” to “0” and “ike_rekeytime” to “2”.
Wenn möglich eine DH Gruppe aus „ecp“
If possible a DH group from “ecp”
<br>
<br>
</div>
<span id="Beispiel_für_CLI_Änderungen"></span>
<div lang="de" dir="ltr" class="mw-content-ltr">
== Example of CLI changes ==
== Beispiel für CLI Änderungen ==
</div>


<div lang="de" dir="ltr" class="mw-content-ltr">
For Route + Generate Traffic:
Für Route + Generate Traffic:
# Use “ipsec get” to find out the id of the tunnel you want to change
# Mit „ipsec get“ die id des Tunnels herausfinden, den man ändern möchte
# Issue command
# Befehl absetzen
## ipsec set id $tunnel_id$ flags [ ROUTE DPD GENERATE_TRAFFIC MULTI_TRAFFIC_SELECTOR ]
## ipsec set id $tunnel_id$ flags [ ROUTE DPD GENERATE_TRAFFIC MULTI_TRAFFIC_SELECTOR ]
# Mit „system config save“ die config speichern
# Save the config with “system config save”.
# Am besten zur Sicherheit noch einmal den IPsec Dienst neu starten.
# It's best to restart the IPsec service again to be on the safe side.
<br>
<br>
Für Lifetimes:
For Lifetimes:
# Mit „ipsec get“ die id des Tunnels herausfinden, den man ändern möchte
# Use “ipsec get” to find out the id of the tunnel you want to change
# Befehle absetzen, hierbei ist zu beachten, dass „ike_lifetime“ größer sein muss als „ike_rekeytime“ sofern „ike_lifetime“ nicht „0“ ist.
# Issue commands, please note that “ike_lifetime” must be greater than “ike_rekeytime” unless “ike_lifetime” is “0”.
## ipsec set id $tunnel_id$ „ike_lifetime“ 3
## ipsec set id $tunnel_id$ “ike_lifetime” 3
## ipsec set id $tunnel_id$ „ike_rekeytime“ 2
## ipsec set id $tunnel_id$ “ike_rekeytime” 2
## ipsec set id $tunnel_id$ „ike_lifetime“ 0
## ipsec set id $tunnel_id$ “ike_lifetime” 0
# Mit „system config save“ die config speichern
# Save the config with “system config save”.
# Am besten zur Sicherheit noch einmal den IPSec Dienst neu starten.
# It's best to restart the IPSec service again to be on the safe side.
</div>

Aktuelle Version vom 23. Januar 2024, 13:18 Uhr

Sprachen:

General

In all scenarios it can be helpful to look at the syslog (application and kernel messages).
There is usually also a specific note about the relevant problem.
For IPSec, the log must be set to “Verbatic”.
In addition, the log on the UTMs must be enlarged. The following CLI command can be used for this:

syslog backlog set type messages limit 500000

Firewall cannot be reached

If the firewall becomes inaccessible, you can troubleshoot the firewall using the console connection (https://manage.terracloud.de/):

Here the access data can be used like on the web interface.
Firewall login mask

The network configuration is displayed using the command interface address get
interface address get

The network objects (nodes) are output using the command node get
... node get

The first comparison can take place here. Among the nodes, the address of the internal interface must match eth1 under the network configuration.
Alternatively, the value “eth1” can be entered as the address.

If there is a difference here, as in the following example, it can be adjusted with a command:
192.168.144.254/24
firewall-internal

The following command makes the new address available and sets the old one to “dynamic” so that further work can be carried out if necessary.
Interface address set id “5” address “192.168.140.254/24”
id:flags

Then two more commands must be made:
system update interface

With this command the new IP goes online.

Last but not least, run system config save to save the configuration
system config save

OpenVPN S2S problems

If the tunnel does not build, check the following on both sides:

  • Certificates
  • Cipher + Hash

The firmware version is also crucial here.
New versions may no longer support old ciphers.
Therefore, both sides should ideally be on the same firmware version.
Otherwise, you can explicitly reactivate old ciphers for a connection using the “Allowed ciphers for automatic negotiation (NCP)” option.

  • IP + port of the remote station
  • Can the client reach the OpenVPN server?

This may not be allowed in the port filter or a DESTNAT directs the traffic past the server.

If the tunnel is open but no traffic is going through, check the following on both sides:

  • Routes
  • Port filters / implicit rules
  • Packet filter log
  • Verify via TCPDUMP that there really is no traffic going over the tunnel. (Must be requested via Support@terracloud.de)

Often end devices simply do not respond despite traffic.

If traffic is running over the tunnel but there are general connection problems, check the following:

  • Internet connection between both endpoints
  • There are also a few adjustment screws to achieve good VPN quality despite poor internet connection.

Here you have to test something and see what achieves the desired effect.
These include:

  1. MTU → Reduce value to 1400 or lower as a test
  2. Increase replay values – ideally double them straight away
  3. Switch protocol from UDP to TCP


IPSec S2S problems

If the tunnel does not build, check the following on both sides:

  • Certificates
  • Cipher + Hash – generally compare the IKE values, PSK etc. from phases 1 and 2

The firmware version is also crucial here.
New versions may no longer support old ciphers.
Therefore, in the best case scenario, client and server should be on the same firmware version.

  • IP + Ids + start behavior in phase 1 of the tunnel


If the tunnel is open but no traffic is going through, check the following on both sides

  • Port filters / implicit rules

NAT in particular causes problems with IPSEC.
For this purpose, it is best to always have “No NAT for IPSec connections” active in the “implicit rules”.

  • Packet filter log
  • Here too, it may be that the packet goes into the tunnel but the end device does not respond.
    • However, IPSec does not have a dedicated interface on which one could execute a TCPDUMP.

The best way to check whether a packet is going into the tunnel is as follows:

  1. Send a ping to the remote network with a packet size on a device that is in the local UTM network.
    1. On Windows: ping $target-IP$ -l 1000
    2. For Linux: ping $target-IP$ -s 1000
  2. Now you send a TCPDUMP on the UTM interface over which the tunnel is set up. Packages of the appropriate size should then be visible here.
  3. Example for TCPDUMP: tcpdump -i $Interface$ -nnp port 500 or port 4500 or esp and host $IP_der_Gegenstelle$


If traffic is running over the tunnel but there are general connection problems, check the following:

Basically, the current setting recommendations should be set.
The key data for this are:

  • IKEv2
  • Start option route + flag GENERATE_TRAFFIC
  • Set “ike_lifetime” to “0” and “ike_rekeytime” to “2”.

If possible a DH group from “ecp”

Example of CLI changes

For Route + Generate Traffic:

  1. Use “ipsec get” to find out the id of the tunnel you want to change
  2. Issue command
    1. ipsec set id $tunnel_id$ flags [ ROUTE DPD GENERATE_TRAFFIC MULTI_TRAFFIC_SELECTOR ]
  3. Save the config with “system config save”.
  4. It's best to restart the IPsec service again to be on the safe side.


For Lifetimes:

  1. Use “ipsec get” to find out the id of the tunnel you want to change
  2. Issue commands, please note that “ike_lifetime” must be greater than “ike_rekeytime” unless “ike_lifetime” is “0”.
    1. ipsec set id $tunnel_id$ “ike_lifetime” 3
    2. ipsec set id $tunnel_id$ “ike_rekeytime” 2
    3. ipsec set id $tunnel_id$ “ike_lifetime” 0
  3. Save the config with “system config save”.
  4. It's best to restart the IPSec service again to be on the safe side.