In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 “keys” from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association).
To see an overview of your VPN`s run the command, `get vpn`
In order to find the current IKE Cookies or SA`s, run either of the following commands,
get ike cookies get sa active
To clear either of these run either or of the following commands,
clear ike-cookie [gateway ip] clear sa [id]
Below shows you an example of clear a VPN`s SA`s,
ns5gt-> get sa active Total active sa: 1 total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000007< 10.1.1.25 500 esp:3des/md5 ef1d167f 3317 unlim A/- 22 0 00000007> 10.1.1.25 500 esp:3des/md5 fbcb64ee 3317 unlim A/- -1 0
ns5gt-> clear sa 00000007
ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000007< 10.1.1.25 500 esp:3des/md5 ef1d1680 3592 unlim A/- 22 0
00000007> 10.1.1.25 500 esp:3des/md5 bd1cbef7 3592 unlim A/- -1 0
The main thing to ensure is that you show only the active sa`s as the firewall will not let you clear inactive sa`s. You can tell that they are active as the “Sta” (State) is A/- which is active. Also note that the Hex ID was used when using the `clear sa` command.
Click here for Fir3nets Netscreen Site 2 Site VPN troubleshooting guide.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial