'Manage VPN tunnels smartly: forget vpn tu,enter the vpn shell'


Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is vpn tu that neveretheless has always had a very annoying bug (feature?) - you can delete ALL VPN tunnels at a time and none individually !!  It indeed presents option to delete " Delete all IPsec SAs for a given peer (GW)" - sometimes it just plain doesn't work. And once confronted with this problem that could make debug  more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this - vpn shell, that provides acceptable means of managing tunnels. Here are details:
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that. To enter this shell :

[Expert@gw1]# vpn shell
 ?             - This help
 ..            - Go up one level
 quit          - Quit
[interface   ] - Manipulate tunnel interfaces
[show        ] - Show internal data
[tunnels     ] - Manipulate tunnel data

After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type show and hit Enter:

VPN shell:[/] > show
 ?             - This help
 ..            - Go up one level
[interface   ] - Show interface(s) and their status
[tunnels     ] - Show SA(s)
VPN shell:[/show] >

Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:

VPN shell:[/show] > ..
 ?             - This help
 ..            - Go up one level
 quit          - Quit
[interface   ] - Manipulate tunnel interfaces
[show        ] - Show internal data
[tunnels     ] - Manipulate tunnel data
VPN shell:[/] >

In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:

e.g. To see all IKE tunnels:

[Expert@gw1]# vpn shell
 ?             - This help
 ..            - Go up one level
 quit          - Quit
[interface   ] - Manipulate tunnel interfaces
[show        ] - Show internal data
[tunnels     ] - Manipulate tunnel data
VPN shell:[/] > tunnels show IKE all

Peer 193.x.x.x:

        1. IKE SA <8755c7fb24a52e9b,5d46b29d0f0bb5b7>:
VPN shell:[/] >

e.g. 2 To delete IKE SAs for specific peer:

VPN shell:[/] > tunnels delete IKE peer 193.3.3.3

NOTE: interface subtree is for dealing with VTI interfaces.

And finally to leave the vpn shell to SSH shell:
Get to the root by typing .. as many times as needed and then quit:

VPN shell:[/show/tunnels/IKE] > ../../..
 ?             - This help
 ..            - Go up one level
 quit          - Quit
[interface   ] - Manipulate tunnel interfaces
[show        ] - Show internal data
[tunnels     ] - Manipulate tunnel data
VPN shell:[/] > quit
[Expert@gw1]#