Print Download PDF Send Feedback

Previous

Next

VPN Commands

In This Section:

Overview

vpn crl_zap

vpn crlview

vpn debug

vpn drv

vpn export_p12

vpn macutil

vpn nssm_toplogy

vpn overlap_encdom

vpn sw_topology

vpn tu

vpn ver

Overview

Description VPN commands generate status information regarding VPN processes, or are used to stop and start specific VPN services. All VPN commands are executed on the Security Gateway. The vpn command sends to the standard output a list of available commands.

Usage vpn

Comments Sends to the standard output a list of available commands.

vpn crl_zap

Description Erase all Certificate Revocation Lists (CRLs) from the cache.

Syntax

> vpn crl_zap

Return Value 0 for success; any other value equals failure.

vpn crlview

Description Retrieve the Certificate Revocation List (CRL) from various distribution points and displays it for the user. The command comes in three flavors:

Syntax

> vpn crlview -obj <object name> -cert <certificate name>
> vpn crlview -f <filename>
> vpn crlview -view

Parameter

Description

-obj -cert

  • -obj refers to the name of the CA network object
  • -cert refers to the name of the certificate

-f

Refers to the filename of the certificate

-view

Views the CRL

-d

Debug option

Return Value 0 for success; any other value equals failure.

vpn debug

Description Instruct the VPN daemon to write debug messages to the VPN log file: in $FWDIR/log/vpnd.elg. Debugging of the VPN daemon takes place according to topics and levels. A topic is a specific area on which to perform debugging, for example if the topic is LDAP, all traffic between the VPN daemon and the LDAP server are written to the log file. Levels range from 1-5, where 5 means "write all debug messages".

This command makes use of TdError, a Check Point infrastructure for reporting messages and debug information. There is no legal list of topics. It depends on the application or module being debugged.

To debug all available topics, use: ALL for the debug topic.

IKE traffic can also be logged. IKE traffic is logged to $FWDIR/log/IKE.elg

Syntax

> vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon | ikeoff | trunc | timeon <SECONDS>| 
timeoff
> vpn debug on DEBUG_TOPIC=level |off timeon<SECONDS>]|timeoff
> vpn debug ikeon | ikeoff timeon|timeoff
> vpn debug trunc

Syntax

Parameter

Description

on

Turns on high level VPN debugging.

on topic=level

Turns on the specified debug topic on the specified level. Log messages associated with this topic at the specified level (or higher) are sent to $FWDIR/log/vpnd.elg

off

Turns off all VPN debugging.

timeon/timeoff

Number of seconds to run the debug command

ikeon

Turns on IKE packet logging to: $FWDIR/log/IKE.elg

ikeoff

Turns of IKE logging

trunc

Truncates the $FWDIR/log/IKE.elg file, switches the cyclic vpnd.elg (changes the current vpnd.elg file to vpnd0.elg and creates a new vpnd.elg), enables VPND and IKE debugging and adds a timestamp to the vpnd.elg file.

Return Value 0= success, failure is some other value, typically -1 or 1.

Example vpn debug on all=5 timeon 5.

This writes all debugging information for all topics to the vpnd.elg file for five seconds.

Comments IKE logs are analyzed using the support utility IKEView.exe.

vpn drv

Description Install the VPN kernel (vpnk) and connects to the firewall kernel (fwk), attaching the VPN driver to the Firewall driver.

Syntax

> vpn drv on|off
> vpn drv stat

Parameter

Description

on/off

Starts/stops the VPN kernel

stat

Returns the status of the VPN kernel, whether the kernel is on or off

vpn export_p12

Description Export information contained in the network objects database and writes it in the PKCS#12 format to a file with the p12 extension.

Syntax

> vpn export_12 -obj <network object> -cert <certificate object> -file <filename> -passwd <password>

Parameter

Description

-obj

Name of the gateway network object

-cert

Name of the certificate

-file

What the file with the p12 should be called

-passwd

Password required to open the encrypted p12 file

Return Value 0 for success; any other value equals failure.

Example vpn export_p12 -obj Gateway1 -cert MyCert -file mycert.p12 -passwd kdd432

vpn macutil

This command is related to Remote Access VPN, specifically Office mode, generating a MAC address per remote user. This command is relevant only when allocating IP addresses via DHCP.

Remote access users in Office mode receive an IP address which is mapped to a hardware or MAC address. This command displays a generated hardware or MAC address for each name you enter.

Syntax

> vpn macutil <username>

Example vpn macutil John

Output

20-0C-EB-26-80-7D, "John"

vpn nssm_toplogy

Description Generate and upload a topology (in NSSM format) to NSSM server for use by clients.

Syntax

> vpn nssm_topology -url <"url"> -dn <"dn"> -name <"name"> -pass <"password">
[-action <bypass|drop>][-print_xml]

Parameter

Description

-url

URL of the NSSM server

-dn

Distinguished name of the NSSM server needed to establish an SSL connection

-name

Valid Login name for NSSM server

-pass

Valid password for NSSM server

-action

Specifies the action the Symbian client should take if the packet is not destined for an IP address in the VPN domain. Legal options are Bypass (default) or Drop

-print_xml

The topology is in XML format. This flag writes that topology to a file in XML format.

vpn overlap_encdom

Description Display all overlapping VPN domains. Some IP addresses might belong to two or more VPN domains. The command alerts for overlapping encryption domains if one or both of the following conditions exist:

If the gateway has multiple interfaces, and one or more of the interfaces have the same IP address and netmask

Syntax

> vpn overlap_encdom [communities | traditional]

Parameter

Description

Communities

With this flag, all pairs of objects with overlapping VPN domains are displayed -- but only if the objects (that represent VPN sites) are included in the same VPN community. This flag is also used if the same destination IP can be reached via more than one community.

Traditional

Default flag. All pairs of objects with overlapping VPN domains are displayed.

Example vpn overlap_encdom communities

Output

c:\> vpn overlap_encdom communitie
The objects Paris and London have overlapping encryption domains.
The overlapping domain is:
10.8.8.1 - 10.8.8.1
10.10.8.0 - 10.10.9.255
- This overlapping encryption domain generates a multiple entry points configuration in 
MyIntranet and RemoteAccess communities.
- Same destination address can be reached in more than one community (Meshed, Star). 
This configuration is not supported.
 
The objects Paris and Chicago have overlapping encryption domains. The overlapping domain is:
10.8.8.1 - 10.8.8.1
- Same destination address can be reached in more than one community (MyIntranet, NewStar). 
This configuration is not supported.
 
The objects Washington and Tokyo have overlapping encryption domains.
The overlapping domain is:
10.12.10.68 - 10.12.10.68
10.12.12.0 - 10.12.12.127
10.12.14.0 - 10.12.14.255
- This overlapping encryption domain generates a multiple entry points configuration in 
Meshed, Star and NewStar communities.

vpn sw_topology

Description Download the topology for a Safe@ or Edge gateway.

Syntax

> vpn [-d] sw_toplogy -dir <directory> -name <name> -profile <profile> [-filename <filename>]

Parameter

Description

-d

Debug flag

-dir

Output directory for file

-name

Nickname of site which appears in remote client

-profile

Name of the Safe@ or Edge profile for which the topology is created

-filename

Name of the output file

vpn tu

Description Launch the TunnelUtil tool which is used to control VPN tunnels.

Syntax

> vpn tu
> vpn tunnelutil

Example vpn tu

Output

**********     Select Option     **********
 
(1)             List all IKE SAs
(2)             List all IPsec SAs
(3)             List all IKE SAs for a given peer (GW) or user (Client)
(4)             List all IPsec SAs for a given peer (GW) or user (Client)
(5)             Delete all IPsec SAs for a given peer (GW)
(6)             Delete all IPsec SAs for a given User (Client)
(7)             Delete all IPsec+IKE SAs for a given peer (GW)
(8)             Delete all IPsec+IKE SAs for a given User (Client)
(9)             Delete all IPsec SAs for ALL peers and users
(0)             Delete all IPsec+IKE SAs for ALL peers and users
 
(Q)             Quit
 
*******************************************

Further Info. When viewing Security Associations for a specific peer, the IP address must be given in dotted decimal notation.

vpn ver

Description Display the VPN major version number and build number.

Syntax

> vpn ver [-k] -f <filename>

Parameter

Description

ver

Displays the version name and version build number

-k

Displays the version name and build number and the kernel build number

-f

Prints the version number and build number to a text file.