Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

New VPN daemons in R81.10 / R81.20

New VPN daemons were launched with R81.10. In the new version R81.20 you can see that these daemeons have been further revised.

Now iked runs as a multi-process and controls all IPsec VPN tunnels.
The other two processes, vpnd and cccd, each run only once on the gateway.

As far as I have understood correctly, the processes from R81.20 onwards are responsible for the following:

VPN Type vpnd iked
Site-to-Site VPN - IPSec ESP
  - IPSec NAT-T
  - Permanent tunnel
  - MEP
  - Link selection
Remote Access VPN - Endpoint - IPSec RA Client
  - L2TP
  CCC protocol -
  Visitor Mode -

 

For debugging, I noticed that the IKED daemon must now be debugged accordingly for example for iked0, iked1,...
Depending on the corresponding daemon (now shown in R81.20 with "vpn tu tlist -z")  the debug must be set specifically for it.

If the daemon is now known, a special debug for this iked index id can be enabled:
# ike debug -i <iked index id> trunc ALL=5

This creates the corresponding debug files with the corresponding iked index id:
vpnd-ikev<iked index id>trace

So far I have understood everything.

Now my questions:

1) Where can I find Check Point documentation describing the new R81.20 VPN architecture?
2) How can I enable a VPN debug and how can I evaluate the multi R81.20 iked daemons? Are there any sk's or a documentation here.
3) Is there a design overview of how vpnd, iked and cccd work together?

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(3)
Who rated this post