There have been a few times when I have had to go into Check Point and bounce a VPN. I personally never remember how to do this, but since I had to do it recently, I thought I would post how to do this. This customer was running the Gaia OS, R77.10.
See highlighted what I did in CLI to bounce the VPN with a peer of 95.95.95.95. You will see that I find the VPN peer, "delete" the VPN sa (which means drop the VPN), and get it brought back up again.
CheckPoint> vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
1
Peer 192.168.2.2, user md5 f1d8da7f8f1e75f1:
1. IKE SA <e5687f84f16b9c07,8ab4d63e7558eff4>:
Peer 192.168.3.3, user md5 6adca7ae69e47b02:
1. IKE SA <38647c043135de92,c3779a840740326c>:
Peer 64.64.64.64 SAs:
1. IKE SA <0c0f28cd3758876b,7ed08e082cd1c081>:
Peer 95.95.95.95 SAs:
1. IKE SA <6f4546e1f9819014,c41aa3f2c76cb39c>:
Hit <Enter> key to continue ...
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
5
Enter IP of peer (format: xxx.xxx.xxx.xxx): 95.95.95.95
Hit <Enter> key to continue ...
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
1
Peer 192.168.2.2, user md5 f1d8da7f8f1e75f1:
1. IKE SA <e5687f84f16b9c07,8ab4d63e7558eff4>:
Peer 192.168.3.3, user md5 6adca7ae69e47b02:
1. IKE SA <38647c043135de92,c3779a840740326c>:
Peer 64.64.64.64 SAs:
1. IKE SA <0c0f28cd3758876b,7ed08e082cd1c081>:
Hit <Enter> key to continue ...
CheckPoint> vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
1
Peer 192.168.2.2, user md5 f1d8da7f8f1e75f1:
1. IKE SA <e5687f84f16b9c07,8ab4d63e7558eff4>:
Peer 192.168.3.3, user md5 6adca7ae69e47b02:
1. IKE SA <38647c043135de92,c3779a840740326c>:
Peer 64.64.64.64 SAs:
1. IKE SA <0c0f28cd3758876b,7ed08e082cd1c081>:
Peer 95.95.95.95 SAs:
1. IKE SA <0b4ae79cc8418e4d,240a90bf209d613f>:
Hit <Enter> key to continue ...
This is the retired Shane Killen personal blog, an IT technical blog about configs and topics related to the Network and Security Engineer working with Cisco, Brocade, Check Point, and Palo Alto and Sonicwall. I hope this blog serves you well. -- May The Lord bless you and keep you. May He shine His face upon you, and bring you peace.
Subscribe to:
Post Comments (Atom)
I have use option 7 to delete IPsec and IKE SA but the tunnel did not came up.
ReplyDelete