[Swan] GW To GW IPSec connection between CheckPoint and Libreswan

Paul Wouters paul at nohats.ca
Thu Oct 29 09:46:59 UTC 2015

On Thu, 29 Oct 2015, Amir Naftali wrote:

> That might do for the simple case but my Libreswan based VPN server is aggregating many such connections
> including connection where SAs are negotiated per subnet pairs 

Well, "routing based VPNs" are not the best choice. It is much more
secure and easier to configure "policy based VPNs". That is where you
specifically define the traffic allowed to pass using leftsubnet= and

> Please note that the wildcard negotiation is just a technical requirement  - I'm not really looking to
> install a wildcard xfrm policies. The installed policy will have a  src/dst subnets blocks allocated to
> them.
> Basically I'm still looking for a way to take control over xfrm policies instrumentation using the
> leftupdown option in the connection configuration and the issue I described (partial xfrm policy
> instrumentation during re-key) is the only thing that prevents me from being able to do so.
> Is there a way to tell a connection not to install xfrm policies at all or is there a way to prevent form
> libreswan to install the partial xfrm "out" policy during re-key?

You should never manually modify the xfrm tables outside the running IKE
daemon. The IKE daemon is not aware of your manual tweaks and it could
lead to mismatched policies, unexpected state and packet leaks.


More information about the Swan mailing list