cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Creating multiple Remote Gateways/Interoperable Devices for IPsec VPN

Hi Team,

I am looking to create multiple 3rd party remote gateway for IPsec VPN, i can create the object via Smartdashboard by

Object Exporer --> New--Network Object--More ---Interoperable Devices.

I cannot find, how can i do it via Script ? any one has worked on migration of VPN customers from ASA to Checkpoint ?

Regards,

8 Replies

Re: Creating multiple remote Gateway for IPsec VPN

I found the answer here:

https://community.checkpoint.com/community/checkmates-live/blog/2017/09/02/i-am-dorit-dor-vp-of-prod... 

But still i cannot create the objects as i can't find correct syntax to create new object, this comment do provide how to edit but not how to create new, i am getting following error.

{
"code": "generic_err_missing_required_parameters",
"message": "Missing parameter: [create]"
}

Not sure, wht should be the value of create ?

0 Kudos

Re: Creating multiple remote Gateway for IPsec VPN

any one to comment on ? my migration is stuck based on this Smiley Sad

0 Kudos
Admin
Admin

Re: Creating multiple remote Gateway for IPsec VPN

I'm curious how your upgrade is stuck on this as I do not believe this was possible in R77.x (but could be wrong).

In any case, let me see if we can get the create scripts that were promised in the AMA posted.

0 Kudos

Re: Creating multiple remote Gateway for IPsec VPN

Hi Dameon,

Thanks, my migration is stuck as i cant make huge number of Interoperable objects Smiley Happy via api, and dont want to do it manually one by one.

I was just curious if checkpoint will release the script promised in another post, it will make my life easier Smiley Happy

Thanks.

0 Kudos
Employee++
Employee++

Re: Creating multiple remote Gateway for IPsec VPN

Here is how it can be done using the "Generic-Object" API:

Create a basic Interoperable device with given name "interdev_2" and IP address "10.1.1.2"
=====================================================================

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True"

OUTPUT:

=======

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
}
}

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface:
==================================================================================
Added interfaces list section with interface:
- name eth0
- IP Address 10.1.1.1
- netmask 255.255.255.0

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0"

OUTPUT:

=======


{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0"
}
}
]
}
}


Topology settings - Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface.
=========================================================================================


The topology of the added interface was set to be behind the given network (in my case - CP_default_Office_Mode_addresses_pool).

In an interface object, the field: security.netaccess.access set to "SPECIFIC" and
security.netaccess.allowed is set to UID of the required network object.

Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

local_network=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0" interfaces.add.1.owned-object.security.netaccess.access "SPECIFIC" interfaces.add.1.owned-object.security.netaccess.allowed $local_network interfaces.add.1.owned-object.security.netaccess.performAntiSpoofing "True" interfaces.add.1.owned-object.security.antispoof "True"

OUTPUT:

=======


{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0",
"security" : {
"netaccess" : {
"access" : "SPECIFIC",
"allowed" : "065e3266-f32a-4bec-9eee-7947888ad122",
"performAntiSpoofing": true
},
"antispoof" : true
}
}
}
]
}
}

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also set Manually Defined VPN encryption domain
===========================================================================================
Set encdomain to be MANUAL.
Set manualEncdomain field to hold the UID of the required network.
Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"

OUTPUT:

========

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
}
}
},
"manualEncdomain" : "065e3266-f32a-4bec-9eee-7947888ad122",
"encdomain" : "MANUAL"
}

ENJOY!

Re: Creating multiple remote Gateway for IPsec VPN

Thanks man Smiley Happy

0 Kudos
Employee++
Employee++

Re: Creating multiple Remote Gateways/Interoperable Devices for IPsec VPN

If you need to add that interoperable device as a center/satellite gateway to a VPN community, follow my post in this thread - 

https://community.checkpoint.com/thread/7668-how-to-add-interoperative-device-via-api

Robert.

0 Kudos

Re: Creating multiple remote Gateway for IPsec VPN

An important disclaimer!

These APIs provide direct access to different objects and fields in the database. As a result, when the objects schema change, scripts that rely on specific schema fields may break.

The usage of generic-object API is similar to use dbedit script allowing customers to manipulate the Check Point database. The generic-object API calls are supported calls that customers are allowed to use. However, if a customer writes a script using generic-object API calls and later that script is “broken” because Check Point had changed the schema of the database. Check Point TAC will not be responsible for adjusting the customer’s script to use the new schema.

When you have the option, always use the documented APIs and not the generic APIs:

  • They are documented
  • They are future compatible
  • They are tested
  • They have owners and you can get support if you run into trouble