[Swan] GW To GW IPSec connection between CheckPoint and Libreswan

Amir Naftali amir at fortycloud.com
Wed Oct 28 14:57:15 UTC 2015

Hi All

Thank you for supporting this important opensource initiative.

I'm using libreswan(3.15)/netkey running on an AWS/EC2/Ubuntu/14.04 machine
 to connect to a CheckPoint device where the CP device is configured to
establish an SA per GW (as oppose per subnet pair)

This means that the negotiated subnets during IPSec phase that the CP
devices will send and accept are and

The connection can be established but once the IPSec phase is complete it
will install xfrm policies that will shutdown communication (src
dst [in/out/fwd]...)

Since libreswan installs xfrm policies automatically I thought to use the
leftupdown option to write a script that manage xfrm policies myself
(basically allow the wildcard to be negotiated during IPSec phase but
afterwards install a more specific xfrm policies so communication will not

My script works fine until IPSec re-key happens, once re-key happens swan
installs an xfrm policy w/o making a call to the leftupdown script I
provide. The new installed xfrm policy is not complete and looks like this
(I call it partial since it only deploy the "out" policy w/o the "in" and

Here is how the partial policy it looks like

src dst
dir out priority 3128
tmpl src <my ip> dst <remote ip>
proto esp reqid 16401 mode tunnel

The above policy also shut down my communication to/from the machine.

Here is my connection config...

conn connLG
left=<my ip>
leftid=<mu id>
right=<right ip>
rightid=<right id>

My questions are:

1) Is this the right way to do it (how else can i connect to a peer device
that negotiates wildcard subnets)?
2) How can I better control xfrm policies (there are more options I would
like to use like mark and using multiple tmpl in the same policy) that are
not supported by libreswan?
3) Is the behaviour I described above regarding IPSec re-key and partial
xfrm policy instrumentation is a known issue or am I missing something here
in how it should work?

Will appreciate any response regarding this one

Kind Regards,

*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151028/a23706e6/attachment.html>

More information about the Swan mailing list