What information is required to troubleshoot the VPN related issues

I know most of us are seeing lot of issue with VPN tunnel. Here I had I am posting few of useful information

Gather the following information to resolve the VPN related issues: 

1. CPINFO from the Security Management server. Refer to sk30567.



2. Encryption Integrity, Encryption Strengths, DH group, IPsec lifetime for Phase 1 and 2 and the networks proposed on each end.
   
   Fill out the following table for each end-point of the tunnel
   
   1. Check Point Site Info:

Phase 1

- Encryption Strength (3Des, Des, AES256) =
- Encryption Integrity (MD5, SHA1) =
- Diffie-Hellman Group for IKE (phase 1) (group 1, 2, 5) =
- Renegotiate IKE (phase 1) (1400 minutes) =
- Support Aggressive mode (yes, no) =

Phase 2

- Encryption Strength (3Des, Des, AES256) =
- Encryption Integrity (MD5, SHA1) =
- Use Perfect Forward Secrecy (if yes what group) =
- Renegotiate IPsec (3600 seconds) =


2. Are you using Pre-Shared secrets of Certificates?

3. Are they able to establish the tunnel one-way? If so which way?

4. What are the address that you are testing from and two in your encryption domains?

5. What is the IP address and name of the security gateway in question?

6. What is the IP address and name of the remote VPN site? And type of VPN appliance is it?

1. Remote Site Info:

Phase 1

- Encryption Strength (3Des, Des, AES256) =
- Encryption Integrity (MD5, SHA1) =
- Diffie-Hellman Group for IKE (phase 1) (group 1, 2, 5) =
- Renegotiate IKE (phase 1) (1400 minutes) =
- Support Aggressive mode (yes, no) =

Phase 2

- Encryption Strength (3Des, Des, AES256) =
- Encryption Integrity (MD5, SHA1) =
- Use Perfect Forward Secrecy (if yes what group) =
- Renegotiate IPsec (3600 seconds) =



2. Are you using Pre-Shared secrets of Certificates?

3. Are they able to establish the tunnel one-way? If so which way?

4. What are the address that you are testing from and two in your encryption domains.



3. The IKE.elg and vpnd.elg files which include an easily identified period when a connection is being tested.
   Follow the below procedure to create the IKE.elg and vpnd.elg debug files:
   
   
   1. Delete the $FWDIR/log/IKE.elg and the $FWDIR/log/vpnd.elg files from the security gateway.
   
   
   
   2. On the security gateway run "vpn tu" or "vpn tunnelutil".
      This will bring up the following options:
      
      (exception in NGX there is an addition option to Delete User with IPsec)
      
      
      ********** Select Option **********

(1) List all IKE SAs

(2) List all IPsec SAs

(3) List all IKE SAs for a given peer

(4) List all IPsec SAs for a given peer

(5) Delete all IPsec SAs for a given peer

(6) Delete all IPsec+IKE SAs for a given peer

(7) Delete all IPsec SAs for ALL peers

(8) Delete all IPsec+IKE SAs for ALL peers

(A) Abort

*******************************************
      
      Select either option #6 and put in the remote side IP address or select option #8 and delete all the tunnels IPsec and IKE SAs. This will delete the IPsec and IKE SAs and this will send a delete IKE SA packet to the remote side telling it to take down the exciting tunnel.
   
   
   
   3. Run "vpn debug ikeon" to enable the IKE debugging.
   
   
   
   4. From either side of the security gateway generate traffic through the tunnel.
   
   
   
   5. Once the tunnel fails, run "vpn debug ikeoff".
   
   
   
   6. The IKE.elg file will be created in the $FWDIR/log directory on the security gateway.