VPN encrptions domains

ShirtResponsible4233 · June 12, 2025, 7:09am

Hi,

I have a basic question regarding VPN encryption domains. I’m curious if there are any CLI command for that, which I can’t find.

Thanks in advance

cirkis · June 12, 2025, 7:09am

Creepy-Abrocoma8110 · June 12, 2025, 7:09am

Checkmates has some great one liners that you can run via cli on the gateway, or from smartconsole

greenlakejohnny · June 12, 2025, 7:09am

Once the tunnel is up, you can view the local vpn domain for each tunnel with the command `vpn tu tlist`. This would basically be the equivalent of `show crypto ipsec sa` on a Cisco router.

Viewing the full configuration is more difficult. The one-liner from CheckMates worked in R80.30 but I can’t get it working in R81.10.

ShirtResponsible4233 · June 12, 2025, 7:09am

Ok but which one of those? I cant see any specific one.

Creepy-Abrocoma8110 · June 12, 2025, 7:09am

I run this one on my gateways - it will return the encryption domain for every peer in the community.

if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *‘1’* ]]; then echo; tput bold; tput setab 1; echo ’ Not a firewall gateway! '; tput sgr0; echo; else if [[ `grep R80.40 /etc/cp-release | wc -l` != 0 ]]; then echo; tput bold; tput setab 1; echo -n ’ Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! '; tput sgr0; echo; fi; fw tab -t vpn_routing -u | awk ‘NR>3 {$0=substr($0,2,28); gsub(“, “, “”); gsub(”; “, “”); gsub(”..”, "0x& "); print}’ | xargs printf “%d.%d.%d.%d %d.%d.%d.%d %d.%d.%d.%d\n” | awk ‘{print $3".“$1” - "$2}’ | sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n | sed ‘s/^/x/’ | sed ‘s/\./\n\t/4’ | awk ‘!x[$0]++’ | sed ‘/x/s/$/\n\tEncryption domain/’ | sed ‘s/x/\nVPN Gateway > /’ | if [[ $(cat /etc/cp-release) != *“Embedded”* ]]; then egrep -C 9999 --color=auto $‘VPN Gateway|Encryption domain’; else cat $1 | sed ‘s/^\t//’; fi; echo; fi; if [[ `grep R80.40 /etc/cp-release | wc -l` != 0 ]]; then tput bold; tput setab 1; echo -n ’ Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! '; tput sgr0; echo; echo; fi

In case there’s issue with the copy/paste above - you can find the original here:

ShirtResponsible4233 · June 12, 2025, 7:09am

Hehe what a line.
Is there no more simple way?
Why does’nt it exists a inbuilt command for this, quite stranger?