Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Christoph
Collaborator

Deactivate site-to-site VPN Tunnel

Hello,

I was wondering, is there a simple way to deactivate a S2S tunnel without breaking it. Like a switch enabled/disabled for the other gateway or community object?

 

As I believe there is no such thing, I wanted to ask what would be the best way to "deactivate", aka breaking it, so that a person who is not proficient with the product, can "enable" it quickly, if needed.

 

Cheers

Christoph

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

The easiest way to do it is to remove the relevant gateways from the relevant VPN communities and push policy.

0 Kudos
Christoph
Collaborator

If I remove the gateway, don't I lose the secrect? So if I want to re-enable the tunnel, the PSK has to be set anew, with all the bells and whistles attached.

0 Kudos
PhoneBoy
Admin
Admin

I was thinking to remove the local gateway from the relevant encryption domain, not the remote one.
Shared secrets for external peers are defined in the relevant VPN Community.

0 Kudos
Christoph
Collaborator

The MyIntranet community is a meshed one. If you configure a star community and add an external GW, you can set the PSK for the peer.

10-11-2023_05-59-28.png

If you remove the external GW from the community, the peer in the shared secret section will vanish. If you re-add the exernal gateway the PSK is gone.

0 Kudos
PhoneBoy
Admin
Admin

Try removing your local gateway (not the remote one) from the community. 

0 Kudos
JozkoMrkvicka
Authority
Authority

You can try to use SAM rules from SmartView Monitor to block desired communication. 

Rule n.1:

Source: Any

Destination: affected VPN S2S peer IP

Service: Any

 

Rule n.2:

Source: affected VPN S2S peer IP

Destination: Any

Service: Any

 

These 2 rules should block all communication to/from affected VPN peer IP. If you need to allow it, simply remove SAM rules or set the time when the traffic should be enabled again.

Kind regards,
Jozko Mrkvicka
PhoneBoy
Admin
Admin

That might be safest insofar as it doesn't touch the VPN configuration otherwise.
Finding/removing this (or a fwaccel dos rule) does require some knowledge about how to do it, since it won't be obvious from SmartConsole this will be necessary.

the_rock
Legend
Legend

Personally, I never heard of such a thing with any vendor actually. As Phoneboy said, you could delete the gateway from the community itself without removing the community, then simply disable the rule for that VPN.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events