Hello Checkpoint,

can you please update the documentation? This is obviously inconsistent.

Thanks in advance.

Christian Riede

OK, understood. I our installation (and probably in 99% of all worldwide installations), the center gateway is an internal gateway, so this example is not wrong, but counterintuitive and somehow misleading.

The documentation is pretty confusing:
Can you provide the exact syntax to create a Star community with a central and satellite gateway that uses pre-shared keys?

Here's what I started to write out, which I'm pretty sure is wrong.

mgmt_cli --session-id $session add vpn-community-star name "VPNCommunity1" center-gateways "CentralFW" statellite-gateways "RemoteFW" encryption-method "prefer ikev2 but support ikev1" encryption-suite "custom" ike-phase-1.data-intergrity "sha256" ike-phase-1.encryption-algorithm "aes-256" ike-phase-1.diffie-hellman-group "group 14" ike-phase-2.data-integrity "sha256" ike-phase-2.encryption-algorithm "aes-256" use-shared-secret true shared-secrets.1.external-gateway "CentralFW" shared-secrets.1.shared-secret "mysharedsecret1"




----------------------

Managed to figure things out.
I noted you can't create an inter-operable device in API version 1.7 (we are using R81), unless someone can tellme I'm wrong and how to do it. So now assuming the interoperable device has been created I did the following:

Central GW = CentralFW (Managed via a local MGR)
Satellite GW = RemoteFW (Third-Party managed, and not Checkpoint)

Phase I:
IKE Version = 2
Encryption = AES256
Auth = SHA256
DH Group = 5
Lifetime = default (1440)

Phase II
IKE Version = 2
Encryption = AES256
Auth = SHA256
DH Group = 5
Lifetime = 3000 (seconds)
Use Preshared = Y

Below is the mgmt_cli command used:
mgmt_cli --session-id $session add vpn-community-star name "CommunityTest" center-gateways "CentralFW" satellite-gateways "RemoteFW" use-shared-secret "true" shared-secrets.1.external-gateway "RemoteFW" shared-secrets.1.shared-secret "mysharedsecret1123456" encryption-method "prefer ikev2 but support ikev1" encryption-suite "custom" ike-phase-1.data-integrity "sha256" ike-phase-1.encryption-algorithm "aes-256" ike-phase-1.diffie-hellman-group "group 5" ike-phase-2.data-integrity "sha256" ike-phase-2.encryption-algorithm "aes-256" ike-phase-2.ike-p2-use-pfs true ike-phase-2.ike-p2-pfs-dh-grp "group 5" ike-phase-2.ike-p2-rekey-time 3000 color "red" comments "Test Community"

Which firewall is managed by the management where you are running the command? Which firewall is not managed by that management?

CentralFW is managed by me, and the remote is a thirdparty not using Checkpoint; commands are run from the Manager using mgmt_cli

I see you got it working. Cool.

Yes - but I wish there was more examples.

You can probably create an interoperable object via generic-object API calls in earlier releases.
Not exactly sure of the syntax, but believe they are present in the community.

any idea what I should search for?

I've pretty much got everything I need accept that part now.

Even then the API isn't complete in the latest versions. For instance, you can't set NAT override or change timers with an API call so if these parameters are of importance, you would need to review them manually.

You will have to dig through a few threads, starting with this one (and one that's linked in this thread): https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-find-generic-object-that-is-not-define...