When moving an IPSEC tunnel from one data center to another, it is recommended to clear the IPSEC SA's (Security Associations) to prevent sync issues with the old/new data center. This is not something specific to Checkpoint, as any time a change from one IPSEC peer to another is made, the SA's should be cleared, regardless of Firewall/Router vendor.
This article will focus on how to accomplish this via the CLI on a Checkpoint R80.20 Firewall
From the CLI on a Checkpoint R80, issue the following commands:
vpn tu
- Or -
vpn tunnelutil
This command will return a menu to choose from, for example:
********** Select Option **********
(1) List all IKE SAs
(2)
List all IPsec SAs
(3)
List all IKE SAs for a given peer (GW) or user (Client)
(4)
List all IPsec SAs for a given peer (GW) or user (Client)
(5)
Delete all IPsec SAs for a given peer (GW)
(6)
Delete all IPsec SAs for a given User (Client)
(7)
Delete all IPsec+IKE SAs for a given peer (GW)
(8)
Delete all IPsec+IKE SAs for a given User (Client)
(9)
Delete all IPsec SAs for ALL peers and users
(0)
Delete all IPsec+IKE SAs for ALL peers and users
(Q)
Quit
*******************************************
List all the IPSEC SA's by selecting option #2, example:
Peer 199.247.42.164 SAs:
IKE SA <xxxxxxxxxxxxxx,xxxxxxxxxxxxxx>
INBOUND:
1. 0xcdcc501f (i:8)
OUTBOUND:
1. 0xd1c13a10 (i: 8)
Find the peer in the returned list of SA's that corresponds with the WSS tunnel. The example above reflects a tunnel connected to the Chicago Data Center (Peer 199.247.42.164).
To delete the SA's, issue the tunnel command one more time:
vpn tu
- Or -
vpn tunnelutil
This time select option #5 to delete SA's for a given peer. Use the IP Address of the peer, as reflected in the previous listing of all IPSEC SA's. In the example above the peer used for deleting the SA associated with that tunnel would be (199.247.42.164).
Issue the “VPN tu” command and again select option #2, to list all the SA’s. Verify they have been removed.