Check Point Bonus VPN Interoperability Material
Shadow Peak includes additional VPN interoperability & troubleshooting techniques as a 2 hour lecture-based enhancement to the standard Check Point CCSA course. Commonly cited as "one of the best parts of the class" by prior students, this material has been exclusively developed by our instructor Tim Hall who has over 10 years of VPN experience:
- Comprehensive overview of IKE and IPSEC from a standards-based perspective and highlighting where problems are most likely to occur, especially when attempting a VPN between different types of firewalls.
- The presentation's level of detail is customized to exactly what a firewall administrator needs to know for effective troubleshooting - no eye-glazing discussions of advanced number theory, we promise!
- Each student receives a handout summarizing the presentation for future use as an invaluable reference & troubleshooting tool.
- Explanations & troubleshooting techniques for the most common Check Point VPN error messages such as "no proposal chosen" and "packet is dropped because there is no valid SA".
- Discussion of other less-common but nonetheless perplexing VPN error messages such as "packet was decrypted, but policy said packet should not have been decrypted" and "received a cleartext packet within an encrypted connection".
- Enhanced lecture-based coverage of the advanced Check Point VPN debugging tools vpn debug, ikeview, & vpn tu.
- Review of Shadow Peak's 9 Banes of Proper VPN Operation that can bedevil & frustrate even the most experienced firewall administrator with flaky and inconsistent VPN behavior. Included are the symptoms of these conditions, an explanation of their cause, and most importantly how to rectify them. A sampling of some topics discussed are:
- Overlapping Subnets/RFC1918 Private Addressing Conflict
- Asymmetric Routing
- IKE Phase 2 Subnet/Proxy-ID Negotiation Issues
- Intervening Network Address Translation (NAT) device present
- Security Association (SA) Lifetime mismatches
|
