When moving an IPSEC tunnel from one data center to another, it is recommended to clear the IPSEC SA's (Security Associations) to prevent sync issues with the old/new data center. This is not something specific to Checkpoint, as any time a change from one IPSEC peer to another is made, the SA's should be cleared, regardless of Firewall/Router vendor.
This article will focus on how to accomplish this via the CLI on a Checkpoint R80.20 Firewall
From the CLI on a Checkpoint R80, issue the following commands:
- Or - vpn tunnelutil
This command will return a menu to choose from, example:
********** Select Option ********** (1) List all IKE SAs (2) List all IPsec SAs (3) List all IKE SAs for a given peer (GW) or user (Client) (4) List all IPsec SAs for a given peer (GW) or user (Client) (5) Delete all IPsec SAs for a given peer (GW) (6) Delete all IPsec SAs for a given User (Client) (7) Delete all IPsec+IKE SAs for a given peer (GW) (8) Delete all IPsec+IKE SAs for a given User (Client) (9) Delete all IPsec SAs for ALL peers and users (0) Delete all IPsec+IKE SAs for ALL peers and users
List all the IPSEC SA's by selecting option #2, example:
Peer 126.96.36.199 SAs: IKE SA <xxxxxxxxxxxxxx,xxxxxxxxxxxxxx> INBOUND: 1. 0xcdcc501f (i:8) OUTBOUND: 1. 0xd1c13a10 (i: 8)
Find the peer in the returned list of SA's that corresponds with the WSS tunnel. The example above reflects a tunnel connected to the Chicago Data Center (Peer 188.8.131.52).
To delete the SA's, issue the tunnel command one more time:
vpn tu - Or - vpn tunnelutil
This time select option #5 to delete SA's for a given peer. Use the IP Address of the peer, as reflected in the previous listing of all IPSEC SA's. In the example above the peer used for deleting the SA associated with that tunnel would be (184.108.40.206).
Issue the “vpn tu” command and again select option #2, to list all the SA’s. Verify they have been removed.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.