[Swan] GW To GW IPSec connection between CheckPoint and Libreswan
Paul Wouters
paul at nohats.ca
Wed Oct 28 23:44:07 UTC 2015
If your enpoints are on static IP, you should put a type=passthrough in with left/right set to those IP addresses. That will exclude them from being caught in the 0/0, because passthrough has a higher priority.
Sent from my iPhone
> On Oct 28, 2015, at 15:57, Amir Naftali <amir at fortycloud.com> wrote:
>
> Hi All
>
> Thank you for supporting this important opensource initiative.
>
> I'm using libreswan(3.15)/netkey running on an AWS/EC2/Ubuntu/14.04 machine to connect to a CheckPoint device where the CP device is configured to establish an SA per GW (as oppose per subnet pair)
>
> This means that the negotiated subnets during IPSec phase that the CP devices will send and accept are 0.0.0.0/0 and 0.0.0.0/0
>
> The connection can be established but once the IPSec phase is complete it will install xfrm policies that will shutdown communication (src 0.0.0.0/0 dst 0.0.0.0/0 [in/out/fwd]...)
>
> Since libreswan installs xfrm policies automatically I thought to use the leftupdown option to write a script that manage xfrm policies myself (basically allow the wildcard to be negotiated during IPSec phase but afterwards install a more specific xfrm policies so communication will not shutdown.
>
> My script works fine until IPSec re-key happens, once re-key happens swan installs an xfrm policy w/o making a call to the leftupdown script I provide. The new installed xfrm policy is not complete and looks like this (I call it partial since it only deploy the "out" policy w/o the "in" and "fwd")
>
> Here is how the partial policy it looks like
>
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir out priority 3128
> tmpl src <my ip> dst <remote ip>
> proto esp reqid 16401 mode tunnel
>
> The above policy also shut down my communication to/from the machine.
>
> Here is my connection config...
>
> conn connLG
> connaddrfamily=ipv4
> authby=secret
> dpdaction=restart_by_peer
> dpddelay=30
> dpdtimeout=120
> forceencaps=yes
> ike=aes128-sha1;modp1024
> ikelifetime=86400s
> keyingtries=3
> left=<my ip>
> leftid=<mu id>
> leftsubnets=0.0.0.0/0
> leftupdown="/etc/ipsec.d/myUpDown.sh"
> pfs=yes
> phase2alg=aes128-sha1
> right=<right ip>
> rightid=<right id>
> rightsubnets=0.0.0.0/0
> salifetime=180s
>
> My questions are:
>
> 1) Is this the right way to do it (how else can i connect to a peer device that negotiates wildcard subnets)?
> 2) How can I better control xfrm policies (there are more options I would like to use like mark and using multiple tmpl in the same policy) that are not supported by libreswan?
> 3) Is the behaviour I described above regarding IPSec re-key and partial xfrm policy instrumentation is a known issue or am I missing something here in how it should work?
>
> Will appreciate any response regarding this one
>
> Kind Regards,
>
>
> Amir Naftali | CTO and Co-Founder | +972 54 497 2622
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151029/381eb85f/attachment.html>
More information about the Swan
mailing list