Wednesday, May 19, 2010

Unable to delete vpn tunnels on a Checkpoint Gateway

SK33303 specifies the following:
Symptoms
  • Options 5 and 6 of the 'vpn -vs tu' command fail:

    (5) Delete all IPsec SAs for a given peer
    (6) Delete all IPsec+IKE SAs for a given peer

Working as a Managed Security Services Provider, I come accross this issue on a daily basis. Instead of applying a hotfix, there is a workaround.

To remedy the issue, make your selection followed by a space and then the peer IP.
For example:
5 1.2.3.4
An additional workaround would be to use the VPN Shell command:

vpn shell /show/tunnels/IKE/all
vpn shell /show/tunnels/ipsec/all
vpn shell /show/tunnels/ike/peer/1.1.1.1
vpn shell /show/tunnels/ipsec/peer/1.1.1.1
vpn shell /tunnels/delete/all
vpn shell /tunnels/delete/IKE/all
vpn shell /tunnels/delete/IKE/peer/1.1.1.1
vpn shell /tunnels/delete/IPsec/all
vpn shell /tunnels/delete/IPsec/peer/1.1.1.1

No comments: