cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Could you please explain what does i represents in the IPSEC SA?

When we are listing all the IPSEC SA's.

It appears as below.

What does the i Mean ?

4 Replies

Re: Could you please explain what does i represents in the IPSEC SA?

What's the device version? 

0 Kudos
ED
Silver

Re: Could you please explain what does i represents in the IPSEC SA?

There is a * for option 2 and 4. 

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

Re: Could you please explain what does i represents in the IPSEC SA?

I has one more doubt.

Whether the SA formation depends on  the encryption domain that we are providing or based on the rule  (interesting traffic) that we are creating?

0 Kudos
ED
Silver

Re: Could you please explain what does i represents in the IPSEC SA?

During Phase 2-Quick mode in the IKE-negotiation the IPSec SAs are negotiated. Phase 2 uses three packets and in the first packet is the initiator's VPN domain configuration in the first ID field and in ID field 2 is the VPN domain configuration proposed for the peer gateway. 

You can see this negotiation process for both Phase 1 and Phase 2 in ike.elg with Check Point utility called IKEView.

Download IKEView from here https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/htm...

Turn on debug of IKE on security gateway to capture the negotiation. 

To enable IKE debug mode, run in Expert mode on Security Gateway: 
vpn debug ikeon 

To stop IKE debugging, run in Expert mode on Security Gateway: 
vpn debug ikeoff 

Also nice to know:

vpnd daemon ($FWDIR/bin/vpnd) - User Mode daemon, which is in charge of handling both IKE and IPSec SAs, as well as initiating and responding for IKE negotiations with other VPN gateways. This daemon is spawned by fwd daemon

R80.10 introduced MultiCore support for IPsec VPN. 

IPsec VPN MultiCore feature allows CoreXL to inspect VPN traffic on all CoreXL FW instances.

This feature is enabled by default, and it is not supported to disable it.

Nice explanation of IPSec & IKE: https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/R77...