Support Center > Search Results > SecureKnowledge Details
How to use the "vpn tu" command for VPN tunnel management
Solution

vpn tu launches the TunnelUtil tool, which is used to control VPN tunnels.

Notes: 

  • Using this utility in production may cause the disconnection of active VPN connections if you choose the wrong option or pass the utility incorrect information.
  • vpn tu command shows the Security Gateway's Main IP address and not the VPN public IP address / Link Selection IP address. 


General Syntax

Run one of the following commands from the command line Security gateway:

vpn tu
or
vpn tunnelutil

This command will bring up a menu for you to choose from.

Example of R80.x menu:

********** Select Option **********

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

  • If you are not certain what Phase 1 SAs are active on your gateway, select option 1 for all of them or option 3 if you know the IP address of the remote host involved with that SA. 
  • If you are not certain what Phase 2 SAs are active on your gateway, select option 2 for all of them or option 4 if you know the IP address of the remote host involved with that SA. 
  • Once you know which IKE or IPsec SAs exist on your gateway, select, according to this meu, options 5 through 0 to delete those SAs according to your needs.
    As a result, you can check what VPN tunnels are established, partially or fully, and existing VPN tunnels can be torn down, and required to re-establish their VPN connection.
  • When viewing Security Associations for a specific peer, the IP address must be given in dotted decimal notation.

 

Advanced Syntax

vpn tu

    help
    del <options>
    list <options>
    mstats
    tlist <options>

Where

  • help  - Shows the available advanced commands
  • del <options> - Deletes IPsec and IKE SAs
  • list <options> - Shows IPsec and IKE SAs
  • mstats - Shows distribution of VPN tunnels (SPIs) between CoreXL FW instances
  • tlist <options> - Shows information about VPN tunnels

For more information, see the R80.30 Command Line Interface (CLI) Reference Guide


Related solutions:

Applies To:
  • sk115028 has been merged into sk33853

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment