VPN Commands
Overview
Description VPN commands generate status information regarding VPN processes, or are used to stop and start specific VPN services. All VPN commands are executed on the Security Gateway. The vpn command sends to the standard output a list of available commands.
Usage vpn
Comments Sends to the standard output a list of available commands.
vpn crl_zap
Description Erase all Certificate Revocation Lists (CRLs) from the cache.
Usage vpn crl_zap
Return Value 0 for success; any other value equals failure.
vpn crlview
Description Retrieve the Certificate Revocation List (CRL) from various distribution points and displays it for the user. The command comes in three flavors:
vpn crlview -obj <MyCA> -cert <MyCert>. The VPN daemon contacts the Certificate Authority called MyCA and locates the certificate called MyCert. The VPN daemon extracts the certificate distribution point from the certificate then goes to the distribution point, which might be an LDAP or HTTP server. From the distribution point, the VPN daemon retrieves the CRL and displays it to the standard output.vpn crlview -f d:\temp\MyCert. The VPN daemon goes to the specified directory, extracts the certificate distribution point from the certificate, goes to the distribution point, retrieves the CRL, and displays the CRL to the standard output.vpn crlview -view <lastest_CRL>. If the CRL has already been retrieved, this command instructs the VPN daemon to display the contents to the standard output.
Usage vpn crlview -obj <object name> -cert <certificate name>
vpn crlview -f <filename>
vpn crlview -view
Syntax
Parameter
|
Description
|
-obj -cert
|
-obj refers to the name of the CA network object-cert refers to the name of the certificate
|
-f
|
Refers to the filename of the certificate
|
-view
|
Views the CRL
|
-d
|
Debug option
|
Return Value 0 for success; any other value equals failure.
vpn debug
Description Instruct the VPN daemon to write debug messages to the VPN log file: in $FWDIR/log/vpnd.elg. Debugging of the VPN daemon takes place according to topics and levels. A topic is a specific area on which to perform debugging, for example if the topic is LDAP, all traffic between the VPN daemon and the LDAP server are written to the log file. Levels range from 1-5, where 5 means "write all debug messages".
This command makes use of TdError, a Check Point infrastructure for reporting messages and debug information. There is no legal list of topics. It depends on the application or module being debugged.
To debug all available topics, use: ALL for the debug topic.
IKE traffic can also be logged. IKE traffic is logged to $FWDIR/log/IKE.elg
Usage Usage: vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon | ikeoff | trunc | timeon <SECONDS>|
timeoff
vpn debug on DEBUG_TOPIC=level |off timeon<SECONDS>]|timeoff
vpn debug ikeon | ikeoff timeon|timeoff
vpn debug trunc
Syntax
Parameter
|
Description
|
on
|
Turns on high level VPN debugging.
|
on topic=level
|
Turns on the specified debug topic on the specified level. Log messages associated with this topic at the specified level (or higher) are sent to $FWDIR/log/vpnd.elg
|
off
|
Turns off all VPN debugging.
|
timeon/timeoff
|
Number of seconds to run the debug command
|
ikeon
|
Turns on IKE packet logging to: $FWDIR/log/IKE.elg
|
ikeoff
|
Turns of IKE logging
|
trunc
|
Truncates the $FWDIR/log/IKE.elg file, switches the cyclic vpnd.elg (changes the current vpnd.elg file to vpnd0.elg and creates a new vpnd.elg), enables VPND and IKE debugging and adds a timestamp to the vpnd.elg file.
|
Return Value 0= success, failure is some other value, typically -1 or 1.
Example vpn debug on all=5 timeon 5.
This writes all debugging information for all topics to the vpnd.elg file for five seconds.
Comments IKE logs are analyzed using the support utility IKEView.exe.
vpn drv
Description Install the VPN kernel (vpnk) and connects to the firewall kernel (fwk), attaching the VPN driver to the Firewall driver.
Usage vpn drv on|off
vpn drv stat
Syntax
Parameter
|
Description
|
on/off
|
Starts/stops the VPN kernel
|
stat
|
Returns the status of the VPN kernel, whether the kernel is on or off
|
vpn export_p12
Description Export information contained in the network objects database and writes it in the PKCS#12 format to a file with the p12 extension.
Usage vpn export_12 -obj <network object> -cert <certificate object> -file <filename>
-passwd <password>
Syntax
Parameter
|
Description
|
-obj
|
Name of the gateway network object
|
-cert
|
Name of the certificate
|
-file
|
What the file with the p12 should be called
|
-passwd
|
Password required to open the encrypted p12 file
|
Return Value 0 for success; any other value equals failure.
Example vpn export_p12 -obj Gateway1 -cert MyCert -file mycert.p12 -passwd kdd432
vpn macutil
This command is related to Remote Access VPN, specifically Office mode, generating a MAC address per remote user. This command is relevant only when allocating IP addresses via DHCP.
Remote access users in Office mode receive an IP address which is mapped to a hardware or MAC address. This command displays a generated hardware or MAC address for each name you enter.
Usage vpn macutil <username>
Example vpn macutil John
Output
20-0C-EB-26-80-7D, "John"
|
vpn nssm_toplogy
Description Generate and upload a topology (in NSSM format) to NSSM server for use by clients.
Usage vpn nssm_topology -url <"url"> -dn <"dn"> -name <"name"> -pass <"password">
[-action <bypass|drop>][-print_xml]
Syntax
Parameter
|
Description
|
-url
|
URL of the NSSM server
|
-dn
|
Distinguished name of the NSSM server needed to establish an SSL connection
|
-name
|
Valid Login name for NSSM server
|
-pass
|
Valid password for NSSM server
|
-action
|
Specifies the action the Symbian client should take if the packet is not destined for an IP address in the VPN domain. Legal options are Bypass (default) or Drop
|
-print_xml
|
The topology is in XML format. This flag writes that topology to a file in XML format.
|
vpn overlap_encdom
Description Display all overlapping VPN domains. Some IP addresses might belong to two or more VPN domains. The command alerts for overlapping encryption domains if one or both of the following conditions exist:
- The same VPN domain is defined for both gateway
- If the gateway has multiple interfaces, and one or more of the interfaces has the same IP address and netmask.
If the gateway has multiple interfaces, and one or more of the interfaces have the same IP address and netmask
Usage vpn overlap_encdom [communities | traditional]
Syntax
Parameter
|
Description
|
Communities
|
With this flag, all pairs of objects with overlapping VPN domains are displayed -- but only if the objects (that represent VPN sites) are included in the same VPN community. This flag is also used if the same destination IP can be reached via more than one community.
|
Traditional
|
Default flag. All pairs of objects with overlapping VPN domains are displayed.
|
Example vpn overlap_encdom communities
Output
c:\> vpn overlap_encdom communitie
The objects Paris and London have overlapping encryption domains.
The overlapping domain is:
10.8.8.1 - 10.8.8.1
10.10.8.0 - 10.10.9.255
- This overlapping encryption domain generates a multiple entry points configuration in
MyIntranet and RemoteAccess communities.
- Same destination address can be reached in more than one community (Meshed, Star).
This configuration is not supported.
The objects Paris and Chicago have overlapping encryption domains. The overlapping domain is:
10.8.8.1 - 10.8.8.1
- Same destination address can be reached in more than one community (MyIntranet, NewStar).
This configuration is not supported.
The objects Washington and Tokyo have overlapping encryption domains.
The overlapping domain is:
10.12.10.68 - 10.12.10.68
10.12.12.0 - 10.12.12.127
10.12.14.0 - 10.12.14.255
- This overlapping encryption domain generates a multiple entry points configuration in
Meshed, Star and NewStar communities.
|
vpn sw_topology
Description Download the topology for a Safe@ or Edge gateway.
Usage vpn [-d] sw_toplogy -dir <directory> -name <name> -profile <profile> [-filename <filename>]
Syntax
Parameter
|
Description
|
-d
|
Debug flag
|
-dir
|
Output directory for file
|
-name
|
Nickname of site which appears in remote client
|
-profile
|
Name of the Safe@ or Edge profile for which the topology is created
|
-filename
|
Name of the output file
|
vpn tu
Description Launch the TunnelUtil tool which is used to control VPN tunnels.
Usage vpn tu
vpn tunnelutil
Example vpn tu
Output
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
|
Further Info. When viewing Security Associations for a specific peer, the IP address must be given in dotted decimal notation.
vpn ver
Description Display the VPN major version number and build number.
Usage vpn ver [-k] -f <filename>
Syntax
Parameter
|
Description
|
ver
|
Displays the version name and version build number
|
-k
|
Displays the version name and build number and the kernel build number
|
-f
|
Prints the version number and build number to a text file.
|
|
