Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is vpn tu that neveretheless has always had a very annoying bug (feature?) – you can delete ALL VPN tunnels at a time and none individually !! It indeed presents option to delete
” Delete all IPsec SAs for a given peer (GW)” – but it just plain doesn’t work. And once confronted with this problem that could make debug more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this
- vpn shell, that provides acceptable means of managing tunnels. Here are details:
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that.
To enter this shell :
[Expert@gw1]# vpn shell
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type show and hit Enter:
VPN shell:[/] > show
? – This help
.. – Go up one level
[interface ] – Show interface(s) and their status
[tunnels ] – Show SA(s)
VPN shell:[/show] >
Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:
VPN shell:[/show] > ..
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] >
In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:
e.g. To see all IKE tunnels:
[Expert@gw1]# vpn shell
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] > tunnels show IKE all
Peer 193.x.x.x:
1. IKE SA <8755c7fb24a52e9b,5d46b29d0f0bb5b7>:
VPN shell:[/] >
e.g. 2 To delete IKE SAs for specific peer:
VPN shell:[/] > tunnels delete IKE peer 193.3.3.3
NOTE: interface subtree is for dealing with VTI interfaces.
And finally to leave the vpn shell to SSH shell:
Get to the root by typing .. as many times as needed and then quit:
VPN shell:[/show/tunnels/IKE] > ../../..
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] > quit
[Expert@gw1]#
Follow me on Twitter
Hi yurisk
Thanks for the information. Not trying to sound to dumb, am I right in thinking that deleting the tunnel will just bring it down? What I’m trying to say is will the connection re-establish itself? Or do you have to issue anther command?
Many thanks
Rick
Yes, you are right – this will delete what is called Security Associations for the tunnel – that is
delete active tunnel, not changing any configuration that is related to the tunnel. The moment any traffic
matching VPN encryption/community rule will reach the firewall again , firewall will create new tunnel.
No other commands are needed, just traffic that will use the VPN tunnel.
Cheers
Yuri
Hi Yuri
Thanks for your fast reply, I’m just used to clearing the tunnels at the cisco router using clear crypto sa
Thanks again
Rick
You’re welcome,
this command does exactly what clear crypto in cisco does – clears SAs and all the info in active
VPN database.