topic Re: mgmt_cli and add-vpn-community-star in API / CLI Discussion

mgmt_cli and add-vpn-community-star

Christian_Riede — Tue, 19 Mar 2019 11:20:44 GMT

Hello,

in https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-vpn-community-star~v1.4%20, it says:

add-vpn-community-star (with shared secrets)

Command

mgmt_cli add vpn-community-star name "New_VPN_Community_Star_1" center-gateways "External_Gateway_1" use-shared-secret true shared-secrets.1.external-gateway "External_Gateway_1" shared-secrets.1.shared-secret "mysharedsecret1" --version 1.4 --format json
 • "--format json" is optional. By default the output is presented in plain text.

Why is the external gateway listed under "central-gateways"? Typo?

Regards, Christian Riede

Re: mgmt_cli and add-vpn-community-star

Maarten_Sjouw — Tue, 19 Mar 2019 11:38:41 GMT

With External Gateway the only thing I can think of is your gateway at the perimeter, as you can have a external and an Internal gateway.
For the Remote side I would use the term Remote Gateway as to describe the gateway at the other side.

Re: mgmt_cli and add-vpn-community-star

Christian_Riede — Wed, 20 Mar 2019 09:05:08 GMT

Hello Checkpoint,

can you please update the documentation? This is obviously inconsistent.

Thanks in advance.

Christian Riede

Re: mgmt_cli and add-vpn-community-star

Amiad_Stern — Mon, 25 Mar 2019 21:52:15 GMT

Hi @Christian_Riede ,

This is not a Typo. In Star community you have Central Gateway and Satellite Gateways. These Gateways can be Check-Point Gateways or Externally Managed Gateways (see image below).

In this example "External_Gateway_1" is of type Externally Managed, it was set in the community as a Central Gateway and since it is Externally Managed, it should be configured with shared secret. This is why it is being listed twice.

Re: mgmt_cli and add-vpn-community-star

Christian_Riede — Tue, 26 Mar 2019 14:46:17 GMT

OK, understood. I our installation (and probably in 99% of all worldwide installations), the center gateway is an internal gateway, so this example is not wrong, but counterintuitive and somehow misleading.

Re: mgmt_cli and add-vpn-community-star

genisis__ — Fri, 27 Oct 2023 15:42:30 GMT

The documentation is pretty confusing:
Can you provide the exact syntax to create a Star community with a central and satellite gateway that uses pre-shared keys?

Here's what I started to write out, which I'm pretty sure is wrong.

mgmt_cli --session-id $session add vpn-community-star name "VPNCommunity1" center-gateways "CentralFW" statellite-gateways "RemoteFW" encryption-method "prefer ikev2 but support ikev1" encryption-suite "custom" ike-phase-1.data-intergrity "sha256" ike-phase-1.encryption-algorithm "aes-256" ike-phase-1.diffie-hellman-group "group 14" ike-phase-2.data-integrity "sha256" ike-phase-2.encryption-algorithm "aes-256" use-shared-secret true shared-secrets.1.external-gateway "CentralFW" shared-secrets.1.shared-secret "mysharedsecret1"

----------------------

Managed to figure things out.
I noted you can't create an inter-operable device in API version 1.7 (we are using R81), unless someone can tellme I'm wrong and how to do it. So now assuming the interoperable device has been created I did the following:

Central GW = CentralFW (Managed via a local MGR)
Satellite GW = RemoteFW (Third-Party managed, and not Checkpoint)

Phase I:
IKE Version = 2
Encryption = AES256
Auth = SHA256
DH Group = 5
Lifetime = default (1440)

Phase II
IKE Version = 2
Encryption = AES256
Auth = SHA256
DH Group = 5
Lifetime = 3000 (seconds)
Use Preshared = Y

Below is the mgmt_cli command used:
mgmt_cli --session-id $session add vpn-community-star name "CommunityTest" center-gateways "CentralFW" satellite-gateways "RemoteFW" use-shared-secret "true" shared-secrets.1.external-gateway "RemoteFW" shared-secrets.1.shared-secret "mysharedsecret1123456" encryption-method "prefer ikev2 but support ikev1" encryption-suite "custom" ike-phase-1.data-integrity "sha256" ike-phase-1.encryption-algorithm "aes-256" ike-phase-1.diffie-hellman-group "group 5" ike-phase-2.data-integrity "sha256" ike-phase-2.encryption-algorithm "aes-256" ike-phase-2.ike-p2-use-pfs true ike-phase-2.ike-p2-pfs-dh-grp "group 5" ike-phase-2.ike-p2-rekey-time 3000 color "red" comments "Test Community"

Re: mgmt_cli and add-vpn-community-star

Bob_Zimmerman — Fri, 27 Oct 2023 15:25:05 GMT

Which firewall is managed by the management where you are running the command? Which firewall is not managed by that management?

Re: mgmt_cli and add-vpn-community-star

genisis__ — Fri, 27 Oct 2023 15:41:36 GMT

CentralFW is managed by me, and the remote is a thirdparty not using Checkpoint; commands are run from the Manager using mgmt_cli

Re: mgmt_cli and add-vpn-community-star

Bob_Zimmerman — Fri, 27 Oct 2023 15:48:05 GMT

I see you got it working. Cool.

Re: mgmt_cli and add-vpn-community-star

genisis__ — Fri, 27 Oct 2023 15:56:37 GMT

Yes - but I wish there was more examples.

Re: mgmt_cli and add-vpn-community-star

PhoneBoy — Fri, 27 Oct 2023 17:03:49 GMT

You can probably create an interoperable object via generic-object API calls in earlier releases.
Not exactly sure of the syntax, but believe they are present in the community.

Re: mgmt_cli and add-vpn-community-star

genisis__ — Sat, 28 Oct 2023 08:30:36 GMT

any idea what I should search for?

I've pretty much got everything I need accept that part now.

Re: mgmt_cli and add-vpn-community-star

Alex- — Sat, 28 Oct 2023 09:13:16 GMT

Even then the API isn't complete in the latest versions. For instance, you can't set NAT override or change timers with an API call so if these parameters are of importance, you would need to review them manually.

Re: mgmt_cli and add-vpn-community-star

PhoneBoy — Mon, 30 Oct 2023 14:07:45 GMT

You will have to dig through a few threads, starting with this one (and one that's linked in this thread): https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-find-generic-object-that-is-not-defined-in-the-API/m-p/20885#M1308