topic Re: R81.20 - iked running while IPSec VPN blade not enabled in Firewall and Security Management

R81.20 - iked running while IPSec VPN blade not enabled

Matt_Taber — Wed, 18 Oct 2023 17:02:34 GMT

Good afternoon 'mates.

We upgraded in place from R80.40 -> R81.20 JHF 26 last night, went very smoothly, cheers to MVC.

While reviewing this morning, I discovered there are new daemons for VPN (https://community.checkpoint.com/t5/General-Topics/New-VPN-daemons-in-R81-10-R81-20/td-p/168785)

What I can't seem to track down anywhere is why are these daemons running if we're don't have the IPSEC VPN blade enabled on the cluster that was upgraded? We don't use CP for VPN access, so a bit concerned processes that aren't supposed to be enabled are running.

1) Don't worry about it?
2) How to really get them disabled?
3) R80.40 version didn't have the blade enabled either, but we would get alerted when internal pen test ran and connected to the gateways on udp/500. So they've been listening on a service we don't have enabled for quite some time.

Thanks for your insight.

Re: R81.20 - iked running while IPSec VPN blade not enabled

the_rock — Wed, 18 Oct 2023 17:15:48 GMT

Hey @Matt_Taber ,

If you send us the deamons you see, we can check.

Andy

Re: R81.20 - iked running while IPSec VPN blade not enabled

Matt_Taber — Wed, 18 Oct 2023 17:21:46 GMT

iked and vpnd, but not cccd

[Expert@fw3:0]# ps aux|grep ike
admin 5716 0.1 0.1 276956 61676 ? Sl 01:37 0:48 iked 0
admin 5717 0.1 0.1 276900 61232 ? Sl 01:37 0:48 iked 1
admin 5718 0.1 0.1 276668 60888 ? Sl 01:37 0:48 iked 2
admin 5719 0.1 0.1 276944 61288 ? Sl 01:37 0:48 iked 3
admin 5754 0.1 0.1 277112 61336 ? Sl 01:37 0:48 iked 4

[Expert@fw3:0]# ps aux|grep vpn
admin 5715 0.1 0.2 299164 65444 ? SLl 01:37 0:52 vpnd 0

[Expert@fw3:0]# ps aux|grep ccc
admin 12953 0.0 0.0 2648 576 pts/2 S+ 13:19 0:00 grep --color=auto ccc

Re: R81.20 - iked running while IPSec VPN blade not enabled

the_rock — Wed, 18 Oct 2023 17:42:57 GMT

Well, I learned something new today as well : - )

Yes, it is possible...see below, my lab R81.20 jumbo 26, no vpn blade.

Andy

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Topics-VPNSG/CLI/ike-debug.htm?TocPath=Command%20Line%20Reference%7C_____2

[Expert@CP-TEST-FIREWALL:0]# enabled_blades
fw urlf appi ips mon
[Expert@CP-TEST-FIREWALL:0]# ps aux|grep ike
admin 7683 0.0 0.0 34916 5484 ? Ss Oct16 2:15 spike_detective
admin 9452 0.1 0.1 258308 42048 ? Sl Oct16 3:40 iked 0
admin 9453 0.1 0.1 258296 41740 ? Sl Oct16 3:36 iked 1
admin 9454 0.1 0.1 258308 41716 ? Sl Oct16 3:40 iked 2
admin 15503 0.0 0.0 2652 568 pts/2 S+ 13:39 0:00 grep --color=auto ike
[Expert@CP-TEST-FIREWALL:0]# vpn iked disable
vpn: disabling 'iked'...
vpn: reconfiguring system...

Installing Security Policy LAB-POLICY on all.all@CP-TEST-FIREWALL
IPS package: Compiled OK.
Fetching Security Policy from local succeeded
vpn: 'iked' is now disabled.

[Expert@CP-TEST-FIREWALL:0]# ps aux|grep ike
admin 7683 0.0 0.0 34916 5484 ? Ss Oct16 2:15 spike_detective
admin 16106 0.0 0.0 2652 572 pts/2 S+ 13:41 0:00 grep --color=auto ike
[Expert@CP-TEST-FIREWALL:0]# fw ver
This is Check Point's software version R81.20 - Build 012
[Expert@CP-TEST-FIREWALL:0]# cpinfo -y fw1

This is Check Point CPinfo Build 914000234 for GAIA
[FW1]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 26
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 012
kernel: R81.20 - Build 014

[Expert@CP-TEST-FIREWALL:0]#

Re: R81.20 - iked running while IPSec VPN blade not enabled

Matt_Taber — Wed, 18 Oct 2023 18:06:39 GMT

Appreciate you running that down! I will disable iked during a future maintenance window.

However, the gateways are still listening on udp/500 udp/4500 and tcp/444 via vpnd. I don't see a way to disable vpnd via CLI. Would it be safe to comment out this line from $FWDIR/conf/fwauthd.conf:

0 vpn vpnd respawn 0

I find it concerning that the gateways would still listen on ports that aren't configured to be enabled via a blade. We have no need for UDP/500 or 4500 on these units.

Thank you again!

Re: R81.20 - iked running while IPSec VPN blade not enabled

the_rock — Thu, 19 Oct 2023 01:37:20 GMT

This may answer it...

https://community.checkpoint.com/t5/Security-Gateways/vpnd-process-running-vpn-blade-not-enabled/td-p/158779

https://support.checkpoint.com/results/sk/sk109172

Re: R81.20 - iked running while IPSec VPN blade not enabled

Matt_Taber — Fri, 20 Oct 2023 15:28:55 GMT

Apparently my searching ability is subpar, thank you AGAIN for tracking this information down. Much appreciated. We do run Identity Awareness. Crazy that vpnd is responsible for the different portals.

[Expert@fw4:0]# for i in `mpclient list`; do echo $i ; mpclient status $i; done
DLPSenderPortal
Portal is running
SecurePlatform
Portal is running
UserCheck
Portal is running
ZeroPhishing
Portal is running
nac
Portal is running
nac_transparent_auth
Portal is running
saml-vpn
Portal is not running

[Expert@fw4:0]# for i in `mpclient list`; do echo $i ; mpclient getdata $i; done
DLPSenderPortal
Portal is not configured yet
SecurePlatform
Portal path prefix '' port 49927 hostname 'redacted' priority 10 encrypted 1
UserCheck
Portal path prefix '/UserCheck' port 56645 hostname 'redacted' priority 1000 encrypted 0
ZeroPhishing
Portal is not configured yet
nac
Portal is not configured yet
nac_transparent_auth
Portal is not configured yet
saml-vpn
Portal is not configured yet

I'll see if I can track down a way to disable udp/500 and 4500 from listening w/o impacting the portals.

Re: R81.20 - iked running while IPSec VPN blade not enabled

the_rock — Fri, 20 Oct 2023 18:03:54 GMT

No problem at all, glad we can help. I would be careful when it comes to disabling anything to do with multi-portal, as it may cause you more headache.

Cheers,

Andy

Re: R81.20 - iked running while IPSec VPN blade not enabled

HeikoAnkenbrand — Fri, 20 Oct 2023 18:46:54 GMT

Hi @Matt_Taber,

From version R81, the VPND has been replaced in many points by the IKED. You can read more in my article "New VPN daemons in R81.10 / R81.20 ". If a multiportal service other than - GAIA Portal corresponds to SecurePlatform - is started, the IKED - for older versions R80.40 and lower the VPND - is always started. The background is that the IKED is also responsible for certificate negotiation.

PS:
I think Check Point should revise the following sk109172 here. Unfortunately, only the VPND is described in this sk.

Re: R81.20 - iked running while IPSec VPN blade not enabled

_Val_ — Sat, 01 Jun 2024 13:30:37 GMT

Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)

In R81.10 we added a feature to improve VPN performance - named CCCD

This feature is disabled by default, and we know about few advanced customers who are using it.

Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!

YOU MUST DISABLE CCCD TO BECOME PROTECTED!

Instructions below and also on SK182336:

Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled.

If the output differs, stop the CCCD process by running the vpn cccd disable command.

More info by the link above.

Re: R81.20 - iked running while IPSec VPN blade not enabled

Timothy_Hall — Mon, 10 Nov 2025 23:13:12 GMT

Hi Heiko,

The new R81.20+ iked has been formally documented here:

sk184307: VPN User-space Multi-Process Architecture in R81.20 and higher