Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Rolbin
Contributor

cpmiquerybin for VPN monitoring

How can I get by #cpmiquerybin a list of VPN Gateways in VPN community?

Maybe you have examples how to monitor VPN resources and tunnels by cpmiquerybin?

11 Replies
PhoneBoy
Admin
Admin

Pretty sure cpmiquerybin is not the correct way to discover this information.

From the R80.x API, you should be able to print the relevant VPN community to determine what gateways are in a given community, using show vpn-community-meshed name CommunityName.

From there, you can connect to the relevant gateways and monitor tunnels using vpn tu or the relevant tables. 

0 Kudos
Michael_Rolbin
Contributor

The problem is that API is not enabled by default on CP R80.x products. How can we retrieve the information about VPN community gateways out of API?

0 Kudos
PhoneBoy
Admin
Admin

The API is definitely enabled by default, but it isn't accessible from anything but localhost unless you configure it.

If it weren't enabled, you would not be able to use the mgmt_cli command.

SmartConsole might not work so well without it, either Smiley Happy

The first command shows you the "meshed" VPN communities.

The second command shows you how you would actually see what gateways are in the community (though in this case, there are no configured).

There are similar API commands for "star" communities (show vpn-communities-star and show vpn-community-star).

[Expert@MGMT:0]# mgmt_cli -r true show vpn-communities-meshed

objects:

- uid: "6b8e4ed1-ccd4-43e2-ba94-1ee35d652cf7"

  name: "MyIntranet"

  type: "vpn-community-meshed"

  domain:

    uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"

    name: "SMC User"

    domain-type: "domain"

from: 1

to: 1

total: 1

[Expert@MGMT:0]# mgmt_cli -r true show vpn-community-meshed name MyIntranet

uid: "6b8e4ed1-ccd4-43e2-ba94-1ee35d652cf7"

name: "MyIntranet"

type: "vpn-community-meshed"

domain:

  uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"

  name: "SMC User"

  domain-type: "domain"

gateways: []

use-shared-secret: false

encryption-method: "ikev1 for ipv4 and ikev2 for ipv6 only"

encryption-suite: "custom"

ike-phase-1:

  encryption-algorithm: "aes-256"

  diffie-hellman-group: "group-2"

  data-integrity: "sha1"

ike-phase-2:

  encryption-algorithm: "aes-128"

  data-integrity: "sha1"

comments: ""

color: "black"

icon: "VPNCommunities/Meshed"

tags: []

meta-info:

  lock: "unlocked"

  validation-state: "ok"

  last-modify-time:

    posix: 1495347014592

    iso-8601: "2017-05-20T23:10-0700"

  last-modifier: "System"

  creation-time:

    posix: 1495347014592

    iso-8601: "2017-05-20T23:10-0700"

  creator: "System"

read-only: false

Michael_Rolbin
Contributor

Thank you for the API reference!

I know that CP pushing to use API, and it's right way to work. Unfortunately, API has limitations as you mentioned, and 4 GB RAM to be able to run API.

My question still there, in case a customer didn't enable remote API access, can we get the VPN community GWs (not just information about VPN community IKE phases, but Firewalls names and IPs) information by the query?

0 Kudos
PhoneBoy
Admin
Admin

The fact you're mentioning anything less than 6GB of RAM (required to run R80.x) suggests you're on an earlier release, is that correct?

That would have been a very relevant detail to mention up-front and would have saved a few messages Smiley Happy

0 Kudos
Michael_Rolbin
Contributor

🙂 I'm on R80.10 T421

0 Kudos
PhoneBoy
Admin
Admin

In any case, the documentation for cpmiquerybin is: How to use the 'cpmiquerybin' command to list objects and their attributes 

From reading this, there doesn't appear to be a way to dump the VPN communities, only regular network objects.

But, you should be able to use dbedit to do it, provided you know the community name(s) in question.

[Expert@MGMT:0]# dbedit -local

Please enter a command, -h for help or -q to quit:

dbedit> print communities MyIntranet

Object Name: MyIntranet

Object UID: {6B8E4ED1-CCD4-43E2-BA94-1EE35D652CF7}

Class Name: intranet_community

Table Name: communities

Last Modified by: System

Last Modified from: localhost

Last Modification time: Sat May 20 23:10:14 2017

Fields Details

--------------

    ID: 1

    add_routed_domain: NULL

    allow_all_encrypted_traffic: false

    allow_all_encrypted_traffic_on: both

    automatic_RIM: true

    automatic_RIM_satellites: false

    backup_stickiness: false

    color: black

    comments:

    cryptography:  (

        cryptography_profile: custom_profile

        cryptography_type_support: ike_v1_only

    )

    customer_script_center: false

    customer_script_satellites: false

    default_mep_rule:  (

        Priority1:

        Priority2:

        Priority3:

        source:

    )

    disable_NAT: false

    disable_NAT_on: both

    enable_MEP: false

    exclude_srv:

    ext_gateways_shared_secret: (

        (

            <NULL>

        )

    )

    ike_p1:  (

        ike_p1_dh_grp: Name: Group 2 (1024 bit) (Table: encryption)

        ike_p1_enc_alg: AES-256

        ike_p1_hash_alg: SHA1

        ike_p1_rekey_time: 1440

        ike_p1_use_aggressive: false

        ike_p1_use_aggressive_for_DAIP: false

        ike_p1_use_shared_secret: false

        ike_p1_use_shared_secret_for_DAIP: false

    )

    ike_p2:  (

        ike_p2_enc_alg: AES-128

        ike_p2_hash_alg: SHA1

        ike_p2_ipcomp: None

        ike_p2_pfs_dh_grp: Name: Group 2 (1024 bit) (Table: encryption)

        ike_p2_rekey_kbytes: 50000

        ike_p2_rekey_time: 3600

        ike_p2_use_pfs: false

        ike_p2_use_rekey_kbytes: false

        ike_p2_use_subnets: true

    )

    manual_mep_rules: (

        (

            <NULL>

        )

    )

    mep_mechanism: src

    meshed_in_center: false

    participant_gateways:

    participants_domains: (

        (

            <NULL>

        )

    )

    permanent_tunnel_down_track: log

    permanent_tunnel_list: (

        (

            <NULL>

        )

    )

    permanent_tunnel_participant_list:

    permanent_tunnel_participants: all_members

    permanent_tunnel_up_track: log

    permanent_tunnels_def: none

    route_injection_track: log

    route_ret_packets: false

    route_through_center: none

    satellite_gateways:

    sel_mechanism: first

    support_wire_mode: false

    support_wire_mode_routing: false

    topology: meshed

    tunnel_granularity: per_subnet

    type: intranet_community

    vpn_mep_resolver_notification: log


0 Kudos
Michael_Rolbin
Contributor

Awesome, thank you!

0 Kudos
Michael_Rolbin
Contributor

Is there any option to get the VPN Community Name from a VPN GW?

0 Kudos
PhoneBoy
Admin
Admin

A gateway can actually be a member of multiple communities.

I'm not aware of a way of determining this using just the gateway name.

But, you can dump the list of VPN Communities in dbedit:

[Expert@mumford:0]# dbedit -local

Please enter a command, -h for help or -q to quit:

dbedit> printxml communities

<communities_object>MyIntranet

<ID>1</ID><allow_all_encrypted_traffic>false</allow_all_encrypted_traffic>

<allow_all_encrypted_traffic_on><![CDATA[both]]></allow_all_encrypted_traffic_on><automatic_RIM>true</automatic_RIM><automatic_RIM_satellites>false</automatic_RIM_satellites><backup_stickiness>false</backup_stickiness>

<color><![CDATA[black]]></color>

<comments><![CDATA[]]></comments>

<cryptography>

<cryptography_profile><![CDATA[custom_profile]]></cryptography_profile>

<cryptography_type_support><![CDATA[ike_v1_only]]></cryptography_type_support>

</cryptography><customer_script_center>false</customer_script_center><customer_script_satellites>false</customer_script_satellites>

<default_mep_rule>

<Priority1>

</Priority1>

<Priority2>

</Priority2>

<Priority3>

</Priority3>

<source>

</source>

</default_mep_rule><disable_NAT>false</disable_NAT>

<disable_NAT_on><![CDATA[both]]></disable_NAT_on><enable_MEP>false</enable_MEP>

<exclude_srv>

</exclude_srv>

<ext_gateways_shared_secret>

</ext_gateways_shared_secret>

<ike_p1>

<ike_p1_dh_grp>ReferenceObject

<Name>Group 2 (1024 bit)</Name>

<Table>encryption</Table>

<Uid>{97AEB629-9AEA-11D5-BD16-0090272CCB30}</Uid>

</ike_p1_dh_grp>

<ike_p1_enc_alg><![CDATA[AES-256]]></ike_p1_enc_alg>

<ike_p1_hash_alg><![CDATA[SHA1]]></ike_p1_hash_alg>

<ike_p1_rekey_time>1440</ike_p1_rekey_time><ike_p1_use_aggressive>false</ike_p1_use_aggressive><ike_p1_use_aggressive_for_DAIP>false</ike_p1_use_aggressive_for_DAIP><ike_p1_use_shared_secret>false</ike_p1_use_shared_secret><ike_p1_use_shared_secret_for_DAIP>false</ike_p1_use_shared_secret_for_DAIP>

</ike_p1>

<ike_p2>

<ike_p2_enc_alg><![CDATA[AES-128]]></ike_p2_enc_alg>

<ike_p2_hash_alg><![CDATA[SHA1]]></ike_p2_hash_alg>

<ike_p2_ipcomp><![CDATA[None]]></ike_p2_ipcomp>

<ike_p2_pfs_dh_grp>ReferenceObject

<Name>Group 2 (1024 bit)</Name>

<Table>encryption</Table>

<Uid>{97AEB629-9AEA-11D5-BD16-0090272CCB30}</Uid>

</ike_p2_pfs_dh_grp>

<ike_p2_rekey_kbytes>50000</ike_p2_rekey_kbytes>

<ike_p2_rekey_time>3600</ike_p2_rekey_time><ike_p2_use_pfs>false</ike_p2_use_pfs><ike_p2_use_rekey_kbytes>false</ike_p2_use_rekey_kbytes><ike_p2_use_subnets>true</ike_p2_use_subnets>

</ike_p2>

<manual_mep_rules>

</manual_mep_rules>

<mep_mechanism><![CDATA[src]]></mep_mechanism><meshed_in_center>false</meshed_in_center>

<participant_gateways>

<unnamed_element  setname="">ReferenceObject

<Name>dummygw</Name>

<Table>network_objects</Table>

<Uid>{DD30A946-0BEF-46BF-8944-33A8CA3183A2}</Uid>

</unnamed_element>

</participant_gateways>

<participants_domains>

</participants_domains>

<permanent_tunnel_down_track><![CDATA[log]]></permanent_tunnel_down_track>

<permanent_tunnel_list>

</permanent_tunnel_list>

<permanent_tunnel_participant_list>

</permanent_tunnel_participant_list>

<permanent_tunnel_participants><![CDATA[all_members]]></permanent_tunnel_participants>

<permanent_tunnel_up_track><![CDATA[log]]></permanent_tunnel_up_track>

<permanent_tunnels_def><![CDATA[none]]></permanent_tunnels_def>

<route_injection_track><![CDATA[log]]></route_injection_track><route_ret_packets>false</route_ret_packets>

<route_through_center><![CDATA[none]]></route_through_center>

<satellite_gateways>

</satellite_gateways>

<sel_mechanism><![CDATA[first]]></sel_mechanism><support_wire_mode>false</support_wire_mode><support_wire_mode_routing>false</support_wire_mode_routing>

<topology><![CDATA[meshed]]></topology>

<tunnel_granularity><![CDATA[per_subnet]]></tunnel_granularity>

<type><![CDATA[intranet_community]]></type>

<vpn_mep_resolver_notification><![CDATA[log]]></vpn_mep_resolver_notification>

</communities_object>

<communities_object>RemoteAccess

<ID>2</ID><automatic_RIM>true</automatic_RIM><automatic_RIM_satellites>false</automatic_RIM_satellites><backup_stickiness>false</backup_stickiness>

<color><![CDATA[black]]></color>

<comments><![CDATA[]]></comments>

<cryptography>

<cryptography_profile><![CDATA[custom_profile]]></cryptography_profile>

<cryptography_type_support><![CDATA[ike_v1_only]]></cryptography_type_support>

</cryptography><customer_script_center>false</customer_script_center><customer_script_satellites>false</customer_script_satellites>

<default_mep_rule>

<Priority1>

</Priority1>

<Priority2>

</Priority2>

<Priority3>

</Priority3>

<source>

</source>

</default_mep_rule><enable_MEP>false</enable_MEP>

<ike_p1>

<ike_p1_dh_grp>ReferenceObject

<Name>Group 2 (1024 bit)</Name>

<Table>encryption</Table>

<Uid>{97AEB629-9AEA-11D5-BD16-0090272CCB30}</Uid>

</ike_p1_dh_grp>

<ike_p1_enc_alg><![CDATA[AES-256]]></ike_p1_enc_alg>

<ike_p1_hash_alg><![CDATA[SHA1]]></ike_p1_hash_alg>

<ike_p1_rekey_time>1440</ike_p1_rekey_time><ike_p1_use_aggressive>false</ike_p1_use_aggressive><ike_p1_use_aggressive_for_DAIP>false</ike_p1_use_aggressive_for_DAIP><ike_p1_use_shared_secret>false</ike_p1_use_shared_secret><ike_p1_use_shared_secret_for_DAIP>false</ike_p1_use_shared_secret_for_DAIP>

</ike_p1>

<ike_p2>

<ike_p2_enc_alg><![CDATA[AES-128]]></ike_p2_enc_alg>

<ike_p2_hash_alg><![CDATA[SHA1]]></ike_p2_hash_alg>

<ike_p2_ipcomp><![CDATA[None]]></ike_p2_ipcomp>

<ike_p2_pfs_dh_grp>ReferenceObject

<Name>Group 2 (1024 bit)</Name>

<Table>encryption</Table>

<Uid>{97AEB629-9AEA-11D5-BD16-0090272CCB30}</Uid>

</ike_p2_pfs_dh_grp>

<ike_p2_rekey_kbytes>50000</ike_p2_rekey_kbytes>

<ike_p2_rekey_time>3600</ike_p2_rekey_time><ike_p2_use_pfs>false</ike_p2_use_pfs><ike_p2_use_rekey_kbytes>false</ike_p2_use_rekey_kbytes><ike_p2_use_subnets>true</ike_p2_use_subnets>

</ike_p2>

<manual_mep_rules>

</manual_mep_rules>

<mep_mechanism><![CDATA[src]]></mep_mechanism>

<participant_gateways>

<unnamed_element  setname="">ReferenceObject

<Name>oscar</Name>

<Table>network_objects</Table>

<Uid>{5C34E630-E06C-41FD-BA2F-172B0BC62576}</Uid>

</unnamed_element>

<unnamed_element  setname="">ReferenceObject

<Name>dummygw</Name>

<Table>network_objects</Table>

<Uid>{DD30A946-0BEF-46BF-8944-33A8CA3183A2}</Uid>

</unnamed_element>

</participant_gateways>

<participant_users_groups>

<unnamed_element  setname="">ReferenceObject

<Name>All Users</Name>

<Table>globals</Table>

<Uid>{97AEB36A-9AEB-11D5-BD16-0090272CCB30}</Uid>

</unnamed_element>

</participant_users_groups>

<participants_domains>

</participants_domains>

<route_injection_track><![CDATA[log]]></route_injection_track><route_ret_packets>false</route_ret_packets>

<sel_mechanism><![CDATA[first]]></sel_mechanism>

<type><![CDATA[sr_community]]></type>

<vpn_mep_resolver_notification><![CDATA[log]]></vpn_mep_resolver_notification>

</communities_object>

0 Kudos
Michael_Rolbin
Contributor

We found that VPN community information stored on the VPN GW in a file:

$FWDIR/state/local/FW1/local.intranet_community

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events