- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
New VPN daemons were launched with R81.10. In the new version R81.20 you can see that these daemeons have been further revised.
Now iked runs as a multi-process and controls all IPsec VPN tunnels.
The other two processes, vpnd and cccd, each run only once on the gateway.
As far as I have understood correctly, the processes from R81.20 onwards are responsible for the following:
| VPN Type | vpnd | iked |
| Site-to-Site VPN | - | IPSec ESP |
| - | IPSec NAT-T | |
| - | Permanent tunnel | |
| - | MEP | |
| - | Link selection | |
| Remote Access VPN | - | Endpoint - IPSec RA Client |
| - | L2TP | |
| CCC protocol | - | |
| Visitor Mode | - |
For debugging, I noticed that the IKED daemon must now be debugged accordingly for example for iked0, iked1,...
Depending on the corresponding daemon (now shown in R81.20 with "vpn tu tlist -z") the debug must be set specifically for it.
If the daemon is now known, a special debug for this iked index id can be enabled:
# ike debug -i <iked index id> trunc ALL=5
This creates the corresponding debug files with the corresponding iked index id:
vpnd-ikev<iked index id>trace
So far I have understood everything.
Now my questions:
1) Where can I find Check Point documentation describing the new R81.20 VPN architecture?
2) How can I enable a VPN debug and how can I evaluate the multi R81.20 iked daemons? Are there any sk's or a documentation here.
3) Is there a design overview of how vpnd, iked and cccd work together?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
