This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kumar
Participant
‎2018-06-18 07:52 AM

Could you please explain what does i represents in the IPSEC SA?

When we are listing all the IPSEC SA's.

It appears as below.

What does the i Mean ?

4 Replies
Huseyin_Rencber
Collaborator
‎2018-06-18 10:52 AM

What's the device version? 

0 Kudos
ED
Advisor
‎2018-06-18 01:32 PM

There is a * for option 2 and 4. 

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

Kumar
Participant
‎2018-06-18 06:24 PM

I has one more doubt.

Whether the SA formation depends on  the encryption domain that we are providing or based on the rule  (interesting traffic) that we are creating?

0 Kudos
ED
Advisor
‎2018-06-18 11:46 PM
In response to Kumar

During Phase 2-Quick mode in the IKE-negotiation the IPSec SAs are negotiated. Phase 2 uses three packets and in the first packet is the initiator's VPN domain configuration in the first ID field and in ID field 2 is the VPN domain configuration proposed for the peer gateway. 

You can see this negotiation process for both Phase 1 and Phase 2 in ike.elg with Check Point utility called IKEView.

Download IKEView from here https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/htm...

Turn on debug of IKE on security gateway to capture the negotiation. 

To enable IKE debug mode, run in Expert mode on Security Gateway: 
vpn debug ikeon 

To stop IKE debugging, run in Expert mode on Security Gateway: 
vpn debug ikeoff 

Also nice to know:

vpnd daemon ($FWDIR/bin/vpnd) - User Mode daemon, which is in charge of handling both IKE and IPSec SAs, as well as initiating and responding for IKE negotiations with other VPN gateways. This daemon is spawned by fwd daemon

R80.10 introduced MultiCore support for IPsec VPN. 

IPsec VPN MultiCore feature allows CoreXL to inspect VPN traffic on all CoreXL FW instances.

This feature is enabled by default, and it is not supported to disable it.

Nice explanation of IPSec & IKE: https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/R77...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top