VPN Tunnel Utility - Bug?

[lammbo]

Can someone confirm a bug in R65 for me?

I am a frequent user of the VPN Tunnel utility and had need to use it yesterday. What I found was not the utility I know and love, but something totally useless and unusable instead.

On R60 (HFA_04):
In expert mode, type: 'vpn tu'
1) Pick an option - let's say 4 - List all IPsec SAs for a given peer (GW) or user (Client) then hit enter
2) Hey look, it's asking for an IP address and pauses
3) Type in the IP, hit enter
4) A list is generated for that peer IP and then you get 'press any key to continue'

On R65 (HFA_02):
In expert mode, type: 'vpn tu'
1) Pick an option - let's say 4 again to keep it consistent - List all IPsec SAs for a given peer (GW) or user (Client) then hit enter
2) Hey look, it's asking for an IP address and keeps on going, never giving you the opportunity to put in an IP - it goes straight to press any key

Any listing generated shows ALL IPSec SA's. Consequently, it is impossible to delete any phase 1 or phase 2 keys using the utility for any peer since the IP input is passed over.


Well, at least this is what happens on my system (SPLAT R65 HFA_02, Active/Passive HA Cluster)

[stuartgreen]

confirmed... =(


I get the same thing for options 4 / 8. Also on R65 / SPLAT / HFA_02.


Very odd isn't it...

[RobertGraham]

I'm running R65 HFA01 in the lab. I'll test this later and post the results.

[dsb.nepo]

I can confirm this only with option 3),5) and 7) at SPLAT R65 HFA_02

[cciesec2006]

I can confirm that I get the same issue with R65 HFA-02 running on both
SPLAT and Nokia IP380

[lammbo]

Quote:

Originally Posted by dsb.nepo

I can confirm this only with option 3),5) and 7) at SPLAT R65 HFA_02

Now that's interesting. What platform? Although, I wouldn't think this would matter. I'm guessing that the menu system for this is from the VPN-1 module, which is why the Nokia was similarly affected.

So, we're waiting on confirmation for HFA_01 and R65 base.

I opened a ticket with my VAR/NOC today and they also confirmed. I'll have them submit it.

Thanks! This is one of those things they'll probably turn out a hotfix for in no time...

[RobertGraham]

It's confirmed, this is the SK #sk33393. Check Point Support offers a HotFix to resolve this issue. You need to open a ticket to get it.

[lammbo]

Quote:

Originally Posted by RobertGraham

It's confirmed, this is the SK #sk33393. Check Point Support offers a HotFix to resolve this issue. You need to open a ticket to get it.

That sk listing is for R60A and only options 5 and 6. I would be surprised if they have a hotfix for this version yet.

[lammbo]

CheckPoint will have a hotfix for this very soon but they have provided a workaround in the meantime.

To traverse the error, enter the option number followed by a space and then the IP you are targeting, then hit enter. The command line menu will accept, store and use both parameters as valid input.

I will be declining the hotfix as a standalone since this is an acceptable solution and I don't like installing standalone hotfixes unless I must.