When we are listing all the IPSEC SA's.
It appears as below.
What does the i Mean ?
What's the device version?
There is a * for option 2 and 4.
* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.
I has one more doubt.
Whether the SA formation depends on the encryption domain that we are providing or based on the rule (interesting traffic) that we are creating?
During Phase 2-Quick mode in the IKE-negotiation the IPSec SAs are negotiated. Phase 2 uses three packets and in the first packet is the initiator's VPN domain configuration in the first ID field and in ID field 2 is the VPN domain configuration proposed for the peer gateway.
You can see this negotiation process for both Phase 1 and Phase 2 in ike.elg with Check Point utility called IKEView.
Download IKEView from here https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=51806
Turn on debug of IKE on security gateway to capture the negotiation.
To enable IKE debug mode, run in Expert mode on Security Gateway: vpn debug ikeon
To stop IKE debugging, run in Expert mode on Security Gateway: vpn debug ikeoff
Also nice to know:
vpnd daemon ($FWDIR/bin/vpnd) - User Mode daemon, which is in charge of handling both IKE and IPSec SAs, as well as initiating and responding for IKE negotiations with other VPN gateways. This daemon is spawned by fwd daemon
R80.10 introduced MultiCore support for IPsec VPN.
IPsec VPN MultiCore feature allows CoreXL to inspect VPN traffic on all CoreXL FW instances.
This feature is enabled by default, and it is not supported to disable it.
Nice explanation of IPSec & IKE: https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/R77/CP_R77_VPN_AdminGuide/13847
Retrieving data ...