Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

File/command to verify all the vpn settings for all the S2S tunnels

Hey guys,

I never had anyone ask me this before, but customer had a question if there is any file or command on CP that would let them see all phase1/2 settings for all the S2S vpn tunnels (in case smart console is not available).

I ran vpn and vpn tu ? commands and see bunch of commands that can be ran, but nothing like what they asked.

Interesting question, but not sure something like that exists ; - )

Thoughts?

Tx for the help as always.

0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion

mgmt_cli will be able to give you the correct data:

mgmt_cli show vpn-communities-meshed details-level full -s id.txt
objects:
- uid: "bde4848b-64b8-4647-9501-49b17c0cb870"
name: "MyIntranet"
type: "vpn-community-meshed"
domain:
uid: "bdcfc21b-9bc2-44fd-bb61-dede55a7a6de"
name: "IOT"
domain-type: "domain"
gateways: []
tunnel-granularity: "per_subnet"
use-shared-secret: false
encryption-method: "ikev1 for ipv4 and ikev2 for ipv6 only"
encryption-suite: "custom"
ike-phase-1:
encryption-algorithm: "aes-256"
diffie-hellman-group: "group-2"
ike-p1-rekey-time: 1440
data-integrity: "sha1"
ike-phase-2:
encryption-algorithm: "aes-128"
ike-p2-use-pfs: false
ike-p2-pfs-dh-grp: "group-2"
ike-p2-rekey-time: 3600
data-integrity: "sha1"
comments: ""
color: "black"
icon: "VPNCommunities/Meshed"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1612186256723
iso-8601: "2021-02-01T14:30+0100"
last-modifier: "System"
creation-time:
posix: 1612186256723
iso-8601: "2021-02-01T14:30+0100"
creator: "System"
read-only: false

 

This will list all meshed communities and the same command with -star will give you all Star comminities.

Regards, Maarten

View solution in original post

(1)
15 Replies
PhoneBoy
Admin
Admin

From the gateway itself? 
That stuff is compiled as part of the Access Policy, so in theory it should be available.
How accessible it is...separate question.

If it were me, I'd poke around in $FWDIR/state/FW1 and see if you can find it somewhere in there.

0 Kudos
the_rock
Legend
Legend

Yea, either gateway or mgmt server. Will check that dir in R81.20 lab gateway and see what I find. Thanks for the help.

Cheers,

Andy

0 Kudos
the_rock
Legend
Legend

K, so had a quick look and that dir does not exist on the fw, but I found similar on mgmt server:


[Expert@QUANTUM-MANAGEMENT:0]# pwd
/opt/CPsuite-R81.20/fw1/state/quantum-fw/FW1
[Expert@QUANTUM-MANAGEMENT:0]#

 

K, small correction, there is dir on the fw (similar path), but files are literally the same:

/opt/CPsuite-R81.20/fw1/state/local/FW1

 

Now, out of all files listed in that dir, I cant really find one that would have what cusotmer is looking for, so not sure as you said how accessible this could be... : - )

 


[Expert@QUANTUM-MANAGEMENT:0]# ls -lh
total 7.0M
-rw-rw---- 1 admin root 1.7K Apr 8 11:41 auxfiles.map
-rw-rw---- 1 admin root 2.6K Apr 8 11:41 local.DynamicContent
-rw-rw---- 1 admin root 37K Apr 8 11:41 local.Sandbox-persistence.xml
-rw-rw---- 1 admin root 270 Apr 8 11:41 local._policy_metadata
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.ad_query_profiles
-rw-rw---- 1 admin root 309 Apr 8 11:41 local.adlog.networks.exclude
-rw-rw---- 1 admin root 148 Apr 8 11:41 local.adlog.users.exclude
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.allowed_clients_objects
-rw-rw---- 1 admin root 23K Apr 8 11:41 local.appfw_misc
-rw-rw---- 1 admin root 13K Apr 8 11:41 local.application
-rw-r--r-- 1 admin root 1.3K Apr 8 11:41 local.application_group
-rw-rw---- 1 admin root 16K Apr 8 11:41 local.category
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.ccp
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.cloudShadowObjectsDumpForGateway
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.cmsDumpForGateway
-rw-rw---- 1 admin root 7.8K Apr 8 11:41 local.connectra_global_properties
-rw-rw---- 1 admin root 1.3K Apr 8 11:41 local.connectra_policy
-rw-rw---- 1 admin root 577 Apr 8 11:41 local.cpmi_file
-rw-rw---- 1 admin root 8 Apr 8 11:41 local.ctlver
-rw-rw---- 1 admin root 680 Apr 8 11:41 local.current_recovery.profile
-rw-r--r-- 1 admin root 1.1K Apr 8 11:41 local.data_awareness_settings
-rw-rw---- 1 admin root 47K Apr 8 11:41 local.data_files
-rw-rw---- 1 admin root 61K Apr 8 11:41 local.db
-rw-r--r-- 1 admin root 27K Apr 8 11:41 local.dcerpc_service
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.device_settings_transactions
-rw-rw---- 1 admin root 4 Apr 8 11:41 local.domain_objects_for_web_applications
-rw-r--r-- 1 admin root 9.7K Apr 8 11:41 local.dynobj
-rw-rw---- 1 admin root 6.8K Apr 8 11:41 local.embedded_applications
-rw-rw---- 1 admin root 966 Apr 8 11:41 local.eps_notify.html
-rw-rw---- 1 admin root 1.7K Apr 8 11:41 local.eps_notify.mail
-rw-rw---- 1 admin root 713K Apr 8 11:41 local.fc
-rw-rw---- 1 admin root 777K Apr 8 11:41 local.fc6
-rw-r--r-- 1 admin root 928 Mar 14 20:31 local.file_data_type
-rw-r--r-- 1 admin root 603 Mar 14 20:31 local.file_type
-rw-rw---- 1 admin root 343K Apr 8 11:41 local.file_types
-rw-rw---- 1 admin root 867 Apr 8 11:41 local.fileslist
-rw-rw---- 1 admin root 220K Apr 8 11:41 local.ft
-rw-rw---- 1 admin root 220K Apr 8 11:41 local.ft6
-rw-rw---- 1 admin root 5.3K Apr 8 11:41 local.fwrl.conf
-rw-r--r-- 1 admin root 3.7K Apr 8 11:41 local.gateway
-rw-r--r-- 1 admin root 836 Apr 8 11:41 local.gateway_general_properties
-rw-r--r-- 1 admin root 621 Apr 8 11:41 local.global_preferences
-rw-rw---- 1 admin root 19K Apr 8 11:41 local.gtp_services
-rw-r--r-- 1 admin root 14K Apr 8 11:41 local.host
-rw-r--r-- 1 admin root 2.6K Apr 8 11:41 local.host_ckp
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.httpsi_dnd
-rw-r--r-- 1 admin root 8.1K Apr 8 11:41 local.icmp_service
-rw-r--r-- 1 admin root 16K Apr 8 11:41 local.icmpv6_service
-rw-rw---- 1 admin root 207K Apr 8 11:41 local.ics_configuration
-rw-rw---- 1 admin root 1.3K Apr 8 11:41 local.identity_awareness_custom_settings
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.identity_roles
-rw-rw---- 1 admin root 11 Apr 8 11:41 local.ifs
-rw-rw---- 1 admin root 29K Apr 8 11:41 local.implied_rules
-rw-rw---- 1 admin root 614 Apr 8 11:41 local.inspect.lf
-rw-rw---- 1 admin root 1.2K Apr 8 11:41 local.intranet_community
-rw-rw---- 1 admin root 9.5K Apr 8 11:41 local.ips_enhance
-rw-rw---- 1 admin root 4.4K Apr 8 11:41 local.ips_granular_contexts
-rw-rw---- 1 admin root 8.0K Apr 8 11:41 local.languages
-rw-rw---- 1 admin root 10K Apr 8 11:41 local.lg
-rw-rw---- 1 admin root 10K Apr 8 11:41 local.lg6
-rw-rw---- 1 admin root 39 Apr 8 11:41 local.logo_directory_content.conf
-rw-rw---- 1 admin root 41K Apr 8 11:41 local.magic
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.mail_servers
-rw-rw---- 1 admin root 35 Apr 8 11:41 local.mgmt_dhcp_data
-rw-rw---- 1 admin root 11K Apr 8 11:41 local.mobile_profiles
-rw-rw---- 1 admin root 1.4K Apr 8 11:41 local.mobile_profiles_rulebase
-rw-rw---- 1 admin root 104 Apr 8 11:41 local.mv_tag
-rw-rw---- 1 admin root 2.2K Apr 8 11:41 local.nac_agents
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.nat_dnd
-rw-r--r-- 1 admin root 2.1K Apr 8 11:41 local.network
-rw-rw---- 1 admin root 7.2K Apr 8 11:41 local.network_applications
-rw-r--r-- 1 admin root 4.1K Apr 8 11:41 local.network_group
-rw-rw---- 1 admin root 635K Apr 8 11:41 local.objects
-rw-r--r-- 1 admin root 3.8K Apr 8 11:41 local.other_service
-rw-rw---- 1 admin root 710 Apr 8 11:41 local.policy
-rw-rw---- 1 admin root 42K Apr 8 11:41 local.policy.xml
-rw-rw---- 1 admin root 5.2K Apr 8 11:41 local.products_updates
-rw-rw---- 1 admin root 6.5K Apr 8 11:41 local.rad_services
-rw-rw---- 1 admin root 8.6K Apr 8 11:41 local.realm_objects
-rw-rw---- 1 admin root 27K Apr 8 11:41 local.realms
-rw-rw---- 1 admin root 5.7K Apr 8 11:41 local.remote_access_clients_objects
-rw-r--r-- 1 admin root 12K Apr 8 11:41 local.rpc_service
-rw-rw---- 1 admin root 62K Apr 8 11:41 local.rule
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.rule_adtr
-rw-rw---- 1 admin root 4.4K Apr 8 11:41 local.rulebase
-rw-rw---- 1 admin root 8.4K Apr 8 11:41 local.rulebase_tracks
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.sdopts.rec
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.securid
-rw-r--r-- 1 admin root 1.8K Apr 8 11:41 local.security_zone
-rw-r--r-- 1 admin root 3.2K Apr 8 11:41 local.service_group
-rw-rw---- 1 admin root 561K Apr 8 11:41 local.set
-rw-rw---- 1 admin root 59 Apr 8 11:41 local.sic_name
-rw-r--r-- 1 admin root 621 Apr 8 11:41 local.sr_community
-rw-rw---- 1 admin root 5.5K Apr 8 11:41 local.ssl_certificates
-rw-rw---- 1 admin root 1.3M Apr 8 11:41 local.ssl_inspection
-rw-rw---- 1 admin root 4 Apr 8 11:41 local.sso_groups
-rw-rw---- 1 admin root 958 Apr 8 11:41 local.str
-rw-rw---- 1 admin root 958 Apr 8 11:41 local.str6
-rw-r--r-- 1 admin root 524K Apr 8 11:41 local.tcp_protocol
-rw-r--r-- 1 admin root 304K Apr 8 11:41 local.tcp_service
-rw-rw---- 1 admin root 48K Apr 8 11:41 local.thresholds.conf
-rw-r--r-- 1 admin root 3.8K Apr 8 11:41 local.track
-rw-r--r-- 1 admin root 65K Apr 8 11:41 local.udp_protocol
-rw-r--r-- 1 admin root 131K Apr 8 11:41 local.udp_service
-rw-r--r-- 1 admin root 29K Apr 8 11:41 local.updatable_obj
-rw-r--r-- 1 admin root 681 Apr 8 11:41 local.user_at_location
-rw-rw---- 1 admin root 690 Mar 14 20:39 local.user_category
-rw-rw---- 1 admin root 94K Apr 8 11:41 local.user_check_interactions.C.converted
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.userdef
-rw-rw---- 1 admin root 7.4K Apr 8 11:41 local.{939922F7-DF98-4988-B776-B70B9B8340F3}
-rw-r----- 1 admin root 11K Apr 8 11:41 local.{B9D14722-3936-4B33-814B-F87EA4062BEB}
-rw-rw---- 1 admin root 7.2K Apr 8 11:41 policy.info
-rw-rw---- 1 admin root 3.1K Apr 8 11:41 policy.map
-rw-rw---- 1 admin root 21K Apr 8 11:41 robo-IKE.NDB

0 Kudos
PhoneBoy
Admin
Admin

If you know some information about the VPN tunnels, grep is your friend 🙂
It may not be visible in an uncompiled form. 

0 Kudos
the_rock
Legend
Legend

Thats a good point, but then I need to know what file to look through 🙂

0 Kudos
Bob_Zimmerman
Mentor
Mentor

You can grep all files with a single command, including recursing into subdirectories:

[Expert@DallasSA]# cd /etc/ssh/
[Expert@DallasSA]# grep -R "Forwarding" *
sshd_config:#AllowAgentForwarding yes
sshd_config:AllowTcpForwarding no
sshd_config:X11Forwarding no
sshd_config:#	X11Forwarding no
sshd_config:#	AllowTcpForwarding no
templates/sshd_config.templ:#AllowAgentForwarding yes
templates/sshd_config.templ:AllowTcpForwarding no
templates/sshd_config.templ:X11Forwarding no
templates/sshd_config.templ:#	X11Forwarding no
templates/sshd_config.templ:#	AllowTcpForwarding no

Try that with one of the VPN community names. I don't have any VPN communities set up on this box, so I can't check for myself.

0 Kudos
the_rock
Legend
Legend

Thanks for your help guys, but I will assume this is not possible at this time, at least not exactly how customer imagined it. I think we can close this subject. Appreciate the help as always 🙌

0 Kudos
Maarten_Sjouw
Champion
Champion

mgmt_cli will be able to give you the correct data:

mgmt_cli show vpn-communities-meshed details-level full -s id.txt
objects:
- uid: "bde4848b-64b8-4647-9501-49b17c0cb870"
name: "MyIntranet"
type: "vpn-community-meshed"
domain:
uid: "bdcfc21b-9bc2-44fd-bb61-dede55a7a6de"
name: "IOT"
domain-type: "domain"
gateways: []
tunnel-granularity: "per_subnet"
use-shared-secret: false
encryption-method: "ikev1 for ipv4 and ikev2 for ipv6 only"
encryption-suite: "custom"
ike-phase-1:
encryption-algorithm: "aes-256"
diffie-hellman-group: "group-2"
ike-p1-rekey-time: 1440
data-integrity: "sha1"
ike-phase-2:
encryption-algorithm: "aes-128"
ike-p2-use-pfs: false
ike-p2-pfs-dh-grp: "group-2"
ike-p2-rekey-time: 3600
data-integrity: "sha1"
comments: ""
color: "black"
icon: "VPNCommunities/Meshed"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1612186256723
iso-8601: "2021-02-01T14:30+0100"
last-modifier: "System"
creation-time:
posix: 1612186256723
iso-8601: "2021-02-01T14:30+0100"
creator: "System"
read-only: false

 

This will list all meshed communities and the same command with -star will give you all Star comminities.

Regards, Maarten
(1)
PhoneBoy
Admin
Admin

The question relates to when the management server is not available (thus mgmt_cli wouldn't work).

0 Kudos
the_rock
Legend
Legend

Customer liked it, so if they are good, Im good too ; - )

0 Kudos
Maarten_Sjouw
Champion
Champion

The question was when SmartConsole was not available, of the management server there was no mentioning.

Regards, Maarten
0 Kudos
the_rock
Legend
Legend

PERFECT! Gave that to a customer and he was super happy, greatly appreciate it @Maarten_Sjouw 🙌🙌🙌

0 Kudos
the_rock
Legend
Legend

One quick question @Maarten_Sjouw ...I tried outputting into a file but it fails, I believe -s is the right flag, is it not?

Cheers,

Andy

0 Kudos
Maarten_Sjouw
Champion
Champion

No just use the standard linux command > file  method. The -s is for accepting the login information stored in the file id.txt like this:

mgmt_cli login user admin domain Test -m 127.0.0.1 > id.txt

mgmt_cli show vpn-communities-meshed details-level full -s id.txt > vpn meshed.txt

mgmt_cli show vpn-communities-star details-level full -s id.txt > vpn-star.txt  (or use >> vpn-meshed.txt to add the output to the same file)

mgmt_cli logout -s id.txt

Regards, Maarten
the_rock
Legend
Legend

Thanks again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events