Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christian_Riede
Collaborator

mgmt_cli and add-vpn-community-star

Hello,

in https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-vpn-community-star~v1.4%20, it says:

 

add-vpn-community-star (with shared secrets)

 

Command

mgmt_cli add vpn-community-star name "New_VPN_Community_Star_1" center-gateways "External_Gateway_1" use-shared-secret true shared-secrets.1.external-gateway "External_Gateway_1" shared-secrets.1.shared-secret "mysharedsecret1" --version 1.4 --format json
 • "--format json" is optional. By default the output is presented in plain text.

 

Why is the external gateway listed under "central-gateways"? Typo?

Regards, Christian Riede

0 Kudos
13 Replies
Maarten_Sjouw
Champion
Champion

With External Gateway the only thing I can think of is your gateway at the perimeter, as you can have a external and an Internal gateway.
For the Remote side I would use the term Remote Gateway as to describe the gateway at the other side.
Regards, Maarten
0 Kudos
Christian_Riede
Collaborator

Hello Checkpoint,

can you please update the documentation? This is obviously inconsistent.

Thanks in advance.

Christian Riede

0 Kudos
Amiad_Stern

Hi @Christian_Riede ,

This is not a Typo. In Star community you have Central Gateway and Satellite Gateways. These Gateways can be Check-Point Gateways or Externally Managed Gateways (see image below).

In this example "External_Gateway_1" is of type Externally Managed, it was set in the community as a Central Gateway and since it is Externally Managed, it should be configured with shared secret. This is why it is being listed twice.

 

externally-managed.png

0 Kudos
Christian_Riede
Collaborator

OK, understood. I our installation (and probably in 99% of all worldwide installations), the center gateway is an internal gateway, so this example is not wrong, but counterintuitive and somehow misleading.

0 Kudos
genisis__
Leader Leader
Leader

The documentation is pretty confusing:
Can you provide the exact syntax to create a Star community with a central and satellite gateway that uses pre-shared keys?

Here's what I started to write out, which I'm pretty sure is wrong.

mgmt_cli --session-id $session add vpn-community-star name "VPNCommunity1" center-gateways "CentralFW" statellite-gateways "RemoteFW" encryption-method "prefer ikev2 but support ikev1" encryption-suite "custom" ike-phase-1.data-intergrity "sha256" ike-phase-1.encryption-algorithm "aes-256" ike-phase-1.diffie-hellman-group "group 14" ike-phase-2.data-integrity "sha256" ike-phase-2.encryption-algorithm "aes-256" use-shared-secret true shared-secrets.1.external-gateway "CentralFW" shared-secrets.1.shared-secret "mysharedsecret1"




----------------------

Managed to figure things out.
I noted you can't create an inter-operable device in API version 1.7 (we are using R81), unless someone can tellme I'm wrong and how to do it. So now assuming the interoperable device has been created I did the following:

Central GW = CentralFW (Managed via a local MGR)
Satellite GW = RemoteFW (Third-Party managed, and not Checkpoint)

Phase I:
IKE Version = 2
Encryption = AES256
Auth = SHA256
DH Group = 5
Lifetime = default (1440)

Phase II
IKE Version = 2
Encryption = AES256
Auth = SHA256
DH Group = 5
Lifetime = 3000 (seconds)
Use Preshared = Y

Below is the mgmt_cli command used:
mgmt_cli --session-id $session add vpn-community-star name "CommunityTest" center-gateways "CentralFW" satellite-gateways "RemoteFW" use-shared-secret "true" shared-secrets.1.external-gateway "RemoteFW" shared-secrets.1.shared-secret "mysharedsecret1123456" encryption-method "prefer ikev2 but support ikev1" encryption-suite "custom" ike-phase-1.data-integrity "sha256" ike-phase-1.encryption-algorithm "aes-256" ike-phase-1.diffie-hellman-group "group 5" ike-phase-2.data-integrity "sha256" ike-phase-2.encryption-algorithm "aes-256" ike-phase-2.ike-p2-use-pfs true ike-phase-2.ike-p2-pfs-dh-grp "group 5" ike-phase-2.ike-p2-rekey-time 3000 color "red" comments "Test Community"

0 Kudos
Bob_Zimmerman
Authority
Authority

Which firewall is managed by the management where you are running the command? Which firewall is not managed by that management?

0 Kudos
genisis__
Leader Leader
Leader

CentralFW is managed by me, and the remote is a thirdparty not using Checkpoint; commands are run from the Manager using mgmt_cli

0 Kudos
Bob_Zimmerman
Authority
Authority

I see you got it working. Cool.

0 Kudos
genisis__
Leader Leader
Leader

Yes - but I wish there was more examples.

0 Kudos
PhoneBoy
Admin
Admin

You can probably create an interoperable object via generic-object API calls in earlier releases.
Not exactly sure of the syntax, but believe they are present in the community.

0 Kudos
genisis__
Leader Leader
Leader

any idea what I should search for?

I've pretty much got everything I need accept that part now.

0 Kudos
Alex-
Leader Leader
Leader

Even then the API isn't complete in the latest versions. For instance, you can't set NAT override or change timers with an API call so if these parameters are of importance, you would need to review them manually.

0 Kudos
PhoneBoy
Admin
Admin

You will have to dig through a few threads, starting with this one (and one that's linked in this thread): https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-find-generic-object-that-is-not-define... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events