IPSEC - Checkpoint Firewall - How to remove Security Associations
search cancel

IPSEC - Checkpoint Firewall - How to remove Security Associations

book

Article ID: 175697

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

When moving an IPSEC tunnel from one data center to another, it is recommended to clear the IPSEC SA's (Security Associations) to prevent sync issues with the old/new data center.  This is not something specific to Checkpoint, as any time a change from one IPSEC peer to another is made, the SA's should be cleared, regardless of Firewall/Router vendor. 

Environment

This article will focus on how to accomplish this via the CLI on a Checkpoint R80.20 Firewall

Resolution

From the CLI on a Checkpoint R80, issue the following commands:

vpn tu
- Or -
vpn tunnelutil

This command will return a menu to choose from, for example:

       ********** Select Option ********** 
    (1)  List all IKE SAs 
    (2)  List all IPsec SAs 
    (3)  List all IKE SAs for a given peer (GW) or user (Client) 
    (4)  List all IPsec SAs for a given peer (GW) or user (Client) 
    (5)  Delete all IPsec SAs for a given peer (GW) 
    (6)  Delete all IPsec SAs for a given User (Client) 
    (7)  Delete all IPsec+IKE SAs for a given peer (GW) 
    (8)  Delete all IPsec+IKE SAs for a given User (Client) 
    (9)  Delete all IPsec SAs for ALL peers and users 
    (0)  Delete all IPsec+IKE SAs for ALL peers and users 

    (Q)  Quit 
    *******************************************

List all the IPSEC SA's by selecting option #2, example:

    Peer 199.247.42.164 SAs:
        IKE SA <xxxxxxxxxxxxxx,xxxxxxxxxxxxxx>
            INBOUND: 
                1. 0xcdcc501f    (i:8) 
            OUTBOUND: 
                1. 0xd1c13a10    (i: 8)

Find the peer in the returned list of SA's that corresponds with the WSS tunnel.  The example above reflects a tunnel connected to the Chicago Data Center (Peer 199.247.42.164).  

To delete the SA's, issue the tunnel command one more time:

vpn tu
- Or -
vpn tunnelutil

This time select option #5 to delete SA's for a given peer.  Use the IP Address of the peer, as reflected in the previous listing of all IPSEC SA's.  In the example above the peer used for deleting the SA associated with that tunnel would be (199.247.42.164).

Issue the “VPN tu” command and again select option #2, to list all the SA’s.  Verify they have been removed.

 

Powered by Wolken Software