Manage VPN tunnels smartly: forget vpn tu,enter the vpn shell

Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is vpn tuthat neveretheless has always had a very annoying bug (feature?) – you can delete ALL VPN tunnels at a time and none individually !! It indeed presents option to delete
” Delete all IPsec SAs for a given peer (GW)” – but it just plain doesn’t work. And once confronted with this problem that could make debug more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this
- vpn shell, that provides acceptable means of managing tunnels. Here are details:
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that.
To enter this shell :
[Expert@gw1]# vpn shell
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data

After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type show and hit Enter:
VPN shell:[/] > show
? – This help
.. – Go up one level
[interface ] – Show interface(s) and their status
[tunnels ] – Show SA(s)
VPN shell:[/show] >

Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:
VPN shell:[/show] > ..
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] >

In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:

e.g. To see all IKE tunnels:
[Expert@gw1]# vpn shell
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] > tunnels show IKE all

Peer 193.x.x.x:

1. IKE SA <8755c7fb24a52e9b,5d46b29d0f0bb5b7>:
VPN shell:[/] >
e.g. 2 To delete IKE SAs for specific peer:
VPN shell:[/] > tunnels delete IKE peer 193.3.3.3

NOTE: interface subtree is for dealing with VTI interfaces.

And finally to leave the vpn shell to SSH shell:
Get to the root by typing .. as many times as needed and then quit:

VPN shell:[/show/tunnels/IKE] > ../../..
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] > quit
[Expert@gw1]#

Comments

0 Responses to "Manage VPN tunnels smartly: forget vpn tu,enter the vpn shell"

Post a Comment

Search This Blog

Blog Archive

Total Pageviews