Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Phil_Leinster
Participant
Jump to solution

How to view "phase 2" SPI details

Is it possible to find out the local and remote identities associated with a specific phase 2 SPI for an IPsec encrypted VPN?

The output from 'vpn tu' is rather limited:

4

Enter IP of peer (format: xxx.xxx.xxx.xxx): 192.0.2.1

Peer 192.0.2.1 SAs:

1. SPI's related to IKE SA <7dc3f321cf09371c,bc0373ef85ca407e>:
INBOUND:
1. 0xe75e94b5
OUTBOUND:
1. 0x2d692cda

0 Kudos
1 Solution

Accepted Solutions
KennyManrique
Advisor
0 Kudos
5 Replies
KennyManrique
Advisor

Hi Phil,

You can verify the following: https://community.checkpoint.com/docs/DOC-3021-show-vpn-routing-on-cli 

Regards.

0 Kudos
Phil_Leinster
Participant

Hi Kenny,

That looks like it should be helpful, but the command on this page doesn't print anything on my firewall instance. However I can go through the "fw tab -f -t vpn_routing -u" table manually to find my answer, so thank you!

I would need to go through this command in detail to find out what the problem is, but at first look the first grep statement is removing all the lines in my output as they all include the '+' sign. There's a deeper problem than that, though...

(1)
KennyManrique
Advisor

I tested the main command of the suggested post on R77.30 and R80.10 and both work as expected (expert mode); however, you can give a try to Alexey Bilay‌'s modification:

fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n"

Regards.

0 Kudos
Phil_Leinster
Participant

I am running R77.10 on the firewall I was testing against, which I know is out of support. Neither the original command nor my modified command worked on R77.30. I had to use separate versions for each as the output format has changed across versions. The original command may not work in future releases as the format output of the vpn_routing table does not seem to be stable:

R77.10
echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |awk '{split($0,a,";"); print a[6]}' |sort -ng |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c 'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e " Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[2] b[3]}'\''| sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '


R77.30
echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |awk '{split($0,a,";"); print a[6]}' |sort -ng |uniq | awk '{split($0,a,":"); print a[2]}' | xargs -I % sh -c 'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e " Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[2] b[3]}'\''| sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '

Phil_Leinster
Participant

For anyone interested I created this script based on the original so I can easily check idents for single VPN peers (tested 0n R7710 & R77.30; mileage may vary on different versions):

#!/bin/bash
echo -e "\033[0m####################\n# VPN Routing #\n####################"
if [ $# -eq 0 ]
then
read -p 'Gateway: ' ipaddr
else
ipaddr=$1
fi
echo -n "For Single Gateway: "
echo -e "\033[0;31m $ipaddr \\033[37m"
echo -e " Routing: \033[32m"
fw tab -f -t vpn_routing -u 2>&1 |grep $ipaddr |awk '{split($0,b,";"); print b[2] b[3]}' | sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m"

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events