This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jessica_smith
Contributor
‎2018-10-19 12:22 AM
Jump to solution

VPN TU HASH OR HEX

When you do VPN TU and select , say option 1

Peer 11.27.106.218 SAs:

1. IKE SA <b4ce6d95oc62e935,3f7248d932f017d3>:

2. IKE SA <f12ca4613c564c2b,09001dcf0ca41373>:

Peer 15.74.27.48 SAs:

1. IKE SA <11282929er737d23,35a68bw4431fa043>:

Question 1: What are these alpha numeric numbers for and how can I decode them? whats the pupose of these? why are they alpha numeric? is it due to security?

Question 2: Why first peer has 2 IKE SA entries and the other one has only one?

Any help would be appreciated.

1 Solution

Accepted Solutions
AlekseiShelepov
Advisor
‎2018-10-19 12:57 AM
Jump to solution

Could you explain what is the final goal here? What you would like to check?

1.

SPI: the 32-bit value used to distinguish among different SAs terminating at the same destination and using the same IPsec protocol.

2.

Each IPSec peer agrees to set up SAs consisting of policy parameters to be used during the IPSec session. The SAs are unidirectional for IPSec, so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-way SAs between the peers. Two-way communication consists of two SAs, one for each direction.

View solution in original post

6 Replies
AlekseiShelepov
Advisor
‎2018-10-19 12:57 AM
Jump to solution

Could you explain what is the final goal here? What you would like to check?

1.

SPI: the 32-bit value used to distinguish among different SAs terminating at the same destination and using the same IPsec protocol.

2.

Each IPSec peer agrees to set up SAs consisting of policy parameters to be used during the IPSec session. The SAs are unidirectional for IPSec, so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-way SAs between the peers. Two-way communication consists of two SAs, one for each direction.
jessica_smith
Contributor
‎2018-10-19 04:31 AM
In response to AlekseiShelepov
Jump to solution

Thanks Aleksei for your help.

To answer your question, I would like to know the phase 2 encryption domains from the cli that are being configured (local and remote encryption domain).

0 Kudos
_Val_
Admin
Admin
‎2018-10-19 05:06 AM
In response to jessica_smith
Jump to solution

That can be checked by enabling vpn debug and looking into ke.elg during key exchange. You cannot check that once SA is formed.

Also, answer to your original question is "neither", but Alexey has covered that already

jessica_smith
Contributor
‎2018-10-19 08:09 AM
In response to _Val_
Jump to solution

Thanks Smiley Happy

0 Kudos
AlekseiShelepov
Advisor
‎2018-10-19 05:31 AM
In response to jessica_smith
Jump to solution

In another thread you asked for this command and there was an answer about different options of CLI commands. Do they all not work on your firewalls?

1) https://community.checkpoint.com/docs/DOC-2214-common-check-point-commands-ccc 

fw tab -f -t vpn_routing -u 2>&1 | grep Peer: | cut -d ';' -f8 | cut -c 8- | sort -ng | uniq | xargs -I % sh -c 'echo; tput sgr0; echo -n VPN Gateway: ; tput setaf 1; echo -e %; tput sgr0; echo -e  Routing: ; tput setaf 2; fw tab -f -t vpn_routing -u 2>&1 | grep % | grep -o 'From.*Peer' | cut -c 6- | rev | cut -c 7- | rev' | sed 's/; To:/ -/g'; tput sgr0

2) Show VPN Routing on CLI 

echo -e "\033[0m####################\n# VPN Routing      #\n####################";fw tab -f -t vpn_routing -u 2>&1 |grep -v "+"| awk '{split($0,a,";"); print a[8]}' |sort -ng |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c  'echo -n "External Gateway: ";echo -e "\033[0;31m % \033[37m";echo -e "  Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[6] b[7]}'\''| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '

3) Tim Hall's comment 

fw tab -t vpn_routing -u -f | awk '{ print $18 "  " $19 "  " $20 "  " $21 "  " $22 "  " $23 }'  | awk NF | sort -n

jessica_smith
Contributor
‎2018-10-19 08:07 AM
In response to AlekseiShelepov
Jump to solution

Hi Aleksei,

Many thanks for your reply.

I tried few of them already but they dont seem to work

[Expert@FW1-USA-A:0]# echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |grep -v "+"| awk '{split($0,a,";"); print a[8]}' |sort -ng |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c 'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e " Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[6] b[7]}'\''| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '
####################
# VPN Routing #
####################



[Expert@FW1-USA-A:0]# fw tab -t vpn_routing -u -f | awk '{ print $18 " " $19 " " $20 " " $21 " " $22 " " $23 }' | awk NF | sort -n
fw: Warning: Can't find ::CPSB-CTNT in cp.macro. License version might be not compatible
Warning: Can't find ::CPSB-CTNT in cp.macro. License version might be not compatible
Using cptfmt
Formatting table's data - this might take a while...

0 Kudos