CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: VPN PreShare Key cmd/clish

  1. #1
    Join Date
    2018-03-04
    Posts
    1
    Rep Power
    0

    Default VPN PreShare Key cmd/clish

    Hi,

    does anyone the CMD to see/configure the vpn Pre-Share Keys in Checkpoint R80.10 in CLISH ?

    In Fortinet the PSK is saved in the config File like:

    set remote-gw 77.56.199.43
    set psksecret ENC Sqjxee+N3ZaTG2lL..........wa27N+XALaSxVQ==

    Maybe in the active connections?
    grep radius /config/active
    ....
    aaa:auth_profile:base_radius_authprofile:radius_sr v:0:secret \ lDGLiWozsw==

    So instead of radius maybe vpn?
    grep vpn /config/active

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: VPN PreShare Key cmd/clish

    As far as i know you can't see it via clish. Its stored in a database that is accessed via smart dashboard by editing the vpn community.

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: VPN PreShare Key cmd/clish

    And like I said over on CheckMates, you can't see it.
    If you forget it, you have to reset it.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    272
    Rep Power
    12

    Default Re: VPN PreShare Key cmd/clish

    Shared secrets are definitely stored in the clear (or with reversible encryption) somewhere on the SmartCenter. I haven't tracked down just where yet, but the evidence is pretty clear. If you create a VPN community using shared secrets with one firewall, then you add a second firewall to the same community, you don't need to enter the shared secret again.

    My bet is they're saved in the objects_5_0.C file on pre-R80-family SmartCenters. It shouldn't be hard to prove this in a lab, it just takes time. Here are the general steps I would use to figure out which files are interesting:

    1. Set up a SmartCenter and firewall in a lab
    2. Build a VPN which authenticates via shared secret
    3. ls -ARl / > ~/beforeChange.txt
    4. Change the shared secret
    5. ls -ARl / > ~/afterChange.txt
    6. Copy the beforeChange and afterChange files down to another system
    7. diff beforeChange.txt afterChange.txt


    My guess is that part would take about an hour for an experienced Check Point admin. The firewall and SmartCenter can be the same box, since it isn't like you need to actually get the VPN working. You just need the configuration to exist. If you wanted to test with a working VPN to prove the new shared secret works, that should only take another hour or so.

    Once you know which files to care about, grab copies of them after that first change, then repeat the process with a second change to the shared secret. Compare the contents, and it should be pretty obvious which file has the shared secrets.
    Zimmie

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: VPN PreShare Key cmd/clish

    Quote Originally Posted by Bob_Zimmerman View Post
    Shared secrets are definitely stored in the clear (or with reversible encryption) somewhere on the SmartCenter. I haven't tracked down just where yet, but the evidence is pretty clear. If you create a VPN community using shared secrets with one firewall, then you add a second firewall to the same community, you don't need to enter the shared secret again.

    My bet is they're saved in the objects_5_0.C file on pre-R80-family SmartCenters. It shouldn't be hard to prove this in a lab, it just takes time. Here are the general steps I would use to figure out which files are interesting:

    1. Set up a SmartCenter and firewall in a lab
    2. Build a VPN which authenticates via shared secret
    3. ls -ARl / > ~/beforeChange.txt
    4. Change the shared secret
    5. ls -ARl / > ~/afterChange.txt
    6. Copy the beforeChange and afterChange files down to another system
    7. diff beforeChange.txt afterChange.txt


    My guess is that part would take about an hour for an experienced Check Point admin. The firewall and SmartCenter can be the same box, since it isn't like you need to actually get the VPN working. You just need the configuration to exist. If you wanted to test with a working VPN to prove the new shared secret works, that should only take another hour or so.

    Once you know which files to care about, grab copies of them after that first change, then repeat the process with a second change to the shared secret. Compare the contents, and it should be pretty obvious which file has the shared secrets.
    My guess based on a few searches is the psk is stored in fwauth.NDB. I donít know what data store format that file is. Maybe something that checkpoint cooked up? Was thinking maybe a sleepycat (or whatever the old pre SQLite like database is called) but after poking around Iím not so sure.

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: VPN PreShare Key cmd/clish

    fwauth.NDB may be where it is stored, not sure.
    Regardless, there is no supported method to "show" the PSK any longer (yes, it used to show in plaintext in SmartDashboard ages ago).
    If you forget it, you have to reset it.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. GAiA: no sysconfig for you, use clish
    By varera in forum R75.40 (GAiA)
    Replies: 2
    Last Post: 2012-05-14, 11:03
  2. IP2200 series: Using CLISH
    By Tooltime in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2010-06-03, 11:04
  3. clish backup
    By Felix001 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 9
    Last Post: 2009-09-10, 15:43
  4. clish: unable to set interface
    By muddie in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 3
    Last Post: 2009-06-09, 17:01
  5. setting interface - clish help plz.
    By humayun in forum Miscellaneous
    Replies: 3
    Last Post: 2008-03-05, 16:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •