In This Section: |
Description VPN commands generate status information regarding VPN processes, or are used to stop and start specific VPN services. All VPN commands are executed on the Security Gateway. The vpn command sends to the standard output a list of available commands.
Usage vpn
Comments Sends to the standard output a list of available commands.
Description Erase all Certificate Revocation Lists (CRLs) from the cache.
Syntax
> vpn crl_zap
Return Value 0 for success; any other value equals failure.
Description Retrieve the Certificate Revocation List (CRL) from various distribution points and displays it for the user. The command comes in three flavors:
vpn crlview -obj <MyCA> -cert <MyCert>
. The VPN daemon contacts the Certificate Authority called MyCA and locates the certificate called MyCert. The VPN daemon extracts the certificate distribution point from the certificate then goes to the distribution point, which might be an LDAP or HTTP server. From the distribution point, the VPN daemon retrieves the CRL and displays it to the standard output.vpn crlview -f d:\temp\MyCert
. The VPN daemon extracts the certificate distribution point from the certificate, goes to the distribution point, retrieves the CRL, and displays the CRL to the standard output.vpn crlview -view <lastest_CRL>
. If the CRL has already been retrieved, this command instructs the VPN daemon to display the contents to the standard output.Syntax
> vpn crlview -obj <object name> -cert <certificate name>
> vpn crlview -f <filename>
> vpn crlview -view
Parameter |
Description |
---|---|
|
|
|
Refers to the filename of the certificate |
|
Views the CRL |
|
Debug option |
Return Value 0 for success; any other value equals failure.
Description Instruct the VPN daemon to write debug messages to the VPN log file: in $FWDIR/log/vpnd.elg.
Debugging of the VPN daemon takes place according to topics and levels. A topic is a specific area on which to perform debugging, for example if the topic is LDAP, all traffic between the VPN daemon and the LDAP server are written to the log file. Levels range from 1-5, where 5 means "write all debug messages".
This command makes use of TdError, a Check Point infrastructure for reporting messages and debug information. There is no legal list of topics. It depends on the application or module being debugged.
To debug all available topics, use: ALL
for the debug topic.
IKE traffic can also be logged. IKE traffic is logged to $FWDIR/log/IKE.elg
Syntax
> vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon | ikeoff | trunc | timeon <SECONDS>|
timeoff
> vpn debug on DEBUG_TOPIC=level |off timeon<SECONDS>]|timeoff
> vpn debug ikeon | ikeoff timeon|timeoff
> vpn debug trunc
Syntax
Parameter |
Description |
---|---|
|
Turns on high level VPN debugging. |
|
Turns on the specified debug topic on the specified level. Log messages associated with this topic at the specified level (or higher) are sent to |
|
Turns off all VPN debugging. |
|
Number of seconds to run the debug command |
|
Turns on IKE packet logging to: |
|
Turns of IKE logging |
|
Truncates the |
Return Value 0= success, failure is some other value, typically -1 or 1.
Example vpn debug on all=5 timeon 5
.
This writes all debugging information for all topics to the vpnd.elg
file for five seconds.
Comments IKE logs are analyzed using the support utility IKEView.exe.
Description Install the VPN kernel (vpnk) and connects to the firewall kernel (fwk), attaching the VPN driver to the Firewall driver.
Syntax
> vpn drv on|off
> vpn drv stat
Parameter |
Description |
---|---|
|
Starts/stops the VPN kernel |
|
Returns the status of the VPN kernel, whether the kernel is |
Description Export information contained in the network objects database and writes it in the PKCS#12 format to a file with the p12 extension.
Syntax
> vpn export_12 -obj <network object> -cert <certificate object> -file <filename> -passwd <password>
Parameter |
Description |
---|---|
|
Name of the gateway network object |
|
Name of the certificate |
|
What the file with the p12 should be called |
|
Password required to open the encrypted p12 file |
Return Value 0 for success; any other value equals failure.
Example vpn export_p12 -obj Gateway1 -cert MyCert -file mycert.p12 -passwd kdd432
This command is related to Remote Access VPN, specifically Office mode, generating a MAC address per remote user. This command is relevant only when allocating IP addresses via DHCP.
Remote access users in Office mode receive an IP address which is mapped to a hardware or MAC address. This command displays a generated hardware or MAC address for each name you enter.
Syntax
> vpn macutil <username>
Example vpn macutil John
Output
|
Description Generate and upload a topology (in NSSM format) to NSSM server for use by clients.
Syntax
> vpn nssm_topology -url <"url"> -dn <"dn"> -name <"name"> -pass <"password">
[-action <bypass|drop>][-print_xml]
Parameter |
Description |
---|---|
|
URL of the NSSM server |
|
Distinguished name of the NSSM server needed to establish an SSL connection |
|
Valid Login name for NSSM server |
|
Valid password for NSSM server |
|
Specifies the action the Symbian client should take if the packet is not destined for an IP address in the VPN domain. Legal options are Bypass (default) or Drop |
|
The topology is in XML format. This flag writes that topology to a file in XML format. |
Description Display all overlapping VPN domains. Some IP addresses might belong to two or more VPN domains. The command alerts for overlapping encryption domains if one or both of the following conditions exist:
If the gateway has multiple interfaces, and one or more of the interfaces have the same IP address and netmask
Syntax
> vpn overlap_encdom [communities | traditional]
Parameter |
Description |
---|---|
|
With this flag, all pairs of objects with overlapping VPN domains are displayed -- but only if the objects (that represent VPN sites) are included in the same VPN community. This flag is also used if the same destination IP can be reached via more than one community. |
|
Default flag. All pairs of objects with overlapping VPN domains are displayed. |
Example vpn overlap_encdom communities
Output
c:\> vpn overlap_encdom communitie The objects Paris and London have overlapping encryption domains. The overlapping domain is: 10.8.8.1 - 10.8.8.1 10.10.8.0 - 10.10.9.255 - This overlapping encryption domain generates a multiple entry points configuration in - Same destination address can be reached in more than one community (Meshed, Star). The objects Paris and Chicago have overlapping encryption domains. The overlapping domain is: 10.8.8.1 - 10.8.8.1 - Same destination address can be reached in more than one community (MyIntranet, NewStar). The objects Washington and Tokyo have overlapping encryption domains. The overlapping domain is: 10.12.10.68 - 10.12.10.68 10.12.12.0 - 10.12.12.127 10.12.14.0 - 10.12.14.255 - This overlapping encryption domain generates a multiple entry points configuration in |
Description Download the topology for a Safe@ or Edge gateway.
Syntax
> vpn [-d] sw_toplogy -dir <directory> -name <name> -profile <profile> [-filename <filename>]
Parameter |
Description |
---|---|
|
Debug flag |
|
Output directory for file |
|
Nickname of site which appears in remote client |
|
Name of the Safe@ or Edge profile for which the topology is created |
|
Name of the output file |
Description Launch the TunnelUtil tool which is used to control VPN tunnels.
Syntax
> vpn tu
> vpn tunnelutil
Example vpn tu
Output
********** Select Option ********** (1) List all IKE SAs (2) List all IPsec SAs (3) List all IKE SAs for a given peer (GW) or user (Client) (4) List all IPsec SAs for a given peer (GW) or user (Client) (5) Delete all IPsec SAs for a given peer (GW) (6) Delete all IPsec SAs for a given User (Client) (7) Delete all IPsec+IKE SAs for a given peer (GW) (8) Delete all IPsec+IKE SAs for a given User (Client) (9) Delete all IPsec SAs for ALL peers and users (0) Delete all IPsec+IKE SAs for ALL peers and users (Q) Quit ******************************************* |
Further Info. When viewing Security Associations for a specific peer, the IP address must be given in dotted decimal notation.
Description Display the VPN major version number and build number.
Syntax
> vpn ver [-k] -f <filename>
Parameter |
Description |
---|---|
|
Displays the version name and version build number |
|
Displays the version name and build number and the kernel build number |
|
Prints the version number and build number to a text file. |