topic Re: One-liner to show VPN topology on gateways in Scripts

One-liner to show VPN topology on gateways

Danny — Thu, 12 Jan 2023 07:49:35 GMT

✔️ Works on all VPN gateway types
👉 Available as SmartConsole Extension

In expert mode run:

if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]];then echo;tput bold;tput setab 1;echo ' Not a firewall gateway! ';tput sgr0;echo;else if [[ `grep R80.40 /etc/cp-release|wc -l` != 0 ]];then echo;tput bold;tput setab 1;echo -n ' Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! ';tput sgr0;echo;fi;fw tab -t vpn_routing -u|awk 'NR>3 {$0=substr($0,2,28);gsub(", ", "");gsub("; ", "");gsub("..", "0x& "); print}'|xargs printf "%d.%d.%d.%d %d.%d.%d.%d %d.%d.%d.%d\n"|awk '{print $3"."$1" - "$2}'|sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n|sed 's/^/x/'|sed 's/\./\n\t/4'|awk '!x[$0]++'|sed '/x/s/$/\n\tEncryption domain/'|sed 's/x/\nVPN Gateway > /'|if [[ $(cat /etc/cp-release) != *"Embedded"* ]];then egrep -C 9999 --color=auto $'VPN Gateway|Encryption domain';else cat $1|sed 's/^\t//';fi;echo;fi;if [[ `grep R80.40 /etc/cp-release|wc -l` != 0 ]];then tput bold;tput setab 1;echo -n ' Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! ';tput sgr0;echo;echo;fi

Integrated with our ccc script.

Thanks to Tim Hall's preliminary work in this thread and reference in his book 📕Max Power 2020.
Thanks to AlexeyB's preliminary work in this thread.
Thanks to Pawel's SMB support and testing in this thread.

Re: One-liner to show VPN topology on gateways

Tsvika_Gilman — Thu, 11 Jul 2019 07:47:04 GMT

Nice

Re: One-liner to show VPN topology on gateways

HeikoAnkenbrand — Thu, 11 Jul 2019 09:08:28 GMT

Nice:-)

Re: One-liner to show VPN topology on gateways

Paul_Gademsky — Mon, 29 Jul 2019 18:55:30 GMT

Very nice, only improvement would be to show the peer's name next to the IP (when there are a lot of peers, it simplifies things).

Thanks for generating this type of one liners.

Paul G.,

CCSM

Re: One-liner to show VPN topology on gateways

Danny — Thu, 08 Aug 2019 10:56:44 GMT

Hi Paul,

the only place I found on gateways to match a VPN peer's IP address to the object name as configured in SmartConsole is $FWDIR/state/local/FW1/local.objects . Unluckily I haven't found a way yet to extract the object name of an IP as the file structure isn't documented.

Re: One-liner to show VPN topology on gateways

Paul_Gademsky — Thu, 08 Aug 2019 15:17:06 GMT

Hi Danny, thanks for the reply.

What I'm looking for is basically the same info that shows up in vpn tu when you select option 1.

It shows "Peer 10.10.10.1, peerfwname SAS:

IKE SA <......>

Don't need the IKE SA, but based on the knowledge that is shown there, it seems like it's ex-tractable somehow.

Thank you,

Re: One-liner to show VPN topology on gateways

fabioromano — Wed, 30 Sep 2020 08:19:40 GMT

Very appreciated!