topic Re: How to view "phase 2" SPI details in SASE and Remote Access

How to view "phase 2" SPI details

Phil_Leinster — Tue, 18 Dec 2018 11:58:26 GMT

Is it possible to find out the local and remote identities associated with a specific phase 2 SPI for an IPsec encrypted VPN?

The output from 'vpn tu' is rather limited:

4
Enter IP of peer (format: xxx.xxx.xxx.xxx): 192.0.2.1
Peer 192.0.2.1 SAs:
1. SPI's related to IKE SA <7dc3f321cf09371c,bc0373ef85ca407e>:
INBOUND:
1. 0xe75e94b5
OUTBOUND:
1. 0x2d692cda

Re: How to view "phase 2" SPI details

KennyManrique — Fri, 21 Jun 2019 09:07:10 GMT

Hi Phil,

You can verify the following: https://community.checkpoint.com/docs/DOC-3021-show-vpn-routing-on-cli

Regards.

Re: How to view "phase 2" SPI details

Phil_Leinster — Tue, 18 Dec 2018 14:39:01 GMT

Hi Kenny,

That looks like it should be helpful, but the command on this page doesn't print anything on my firewall instance. However I can go through the "fw tab -f -t vpn_routing -u" table manually to find my answer, so thank you!

I would need to go through this command in detail to find out what the problem is, but at first look the first grep statement is removing all the lines in my output as they all include the '+' sign. There's a deeper problem than that, though...

Re: How to view "phase 2" SPI details

KennyManrique — Tue, 18 Dec 2018 15:07:19 GMT

I tested the main command of the suggested post on R77.30 and R80.10 and both work as expected (expert mode); however, you can give a try to Alexey Bilay‌'s modification:

fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n"

Regards.

Re: How to view "phase 2" SPI details

Phil_Leinster — Tue, 18 Dec 2018 15:49:49 GMT

I am running R77.10 on the firewall I was testing against, which I know is out of support. Neither the original command nor my modified command worked on R77.30. I had to use separate versions for each as the output format has changed across versions. The original command may not work in future releases as the format output of the vpn_routing table does not seem to be stable:

R77.10
echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |awk '{split($0,a,";"); print a[6]}' |sort -ng |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c 'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e " Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[2] b[3]}'\''| sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '

R77.30
echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |awk '{split($0,a,";"); print a[6]}' |sort -ng |uniq | awk '{split($0,a,":"); print a[2]}' | xargs -I % sh -c 'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e " Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[2] b[3]}'\''| sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '

Re: How to view "phase 2" SPI details

Phil_Leinster — Tue, 18 Dec 2018 16:17:10 GMT

For anyone interested I created this script based on the original so I can easily check idents for single VPN peers (tested 0n R7710 & R77.30; mileage may vary on different versions):

#!/bin/bash
echo -e "\033[0m####################\n# VPN Routing #\n####################"
if [ $# -eq 0 ]
then
read -p 'Gateway: ' ipaddr
else
ipaddr=$1
fi
echo -n "For Single Gateway: "
echo -e "\033[0;31m $ipaddr \\033[37m"
echo -e " Routing: \033[32m"
fw tab -f -t vpn_routing -u 2>&1 |grep $ipaddr |awk '{split($0,b,";"); print b[2] b[3]}' | sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m"