[Swan] GW To GW IPSec connection between CheckPoint and Libreswan
Amir Naftali
amir at fortycloud.com
Sun Nov 1 13:22:00 UTC 2015
Looks like there is an issue resulting from a delivery that happens 4 days
ago titled "systemd: add socket activation"
I'm running on an ubuntu 14.04 system in EC2/VPC
Up to that commit (not including), running "make build & install" does the
magic and everything works ok.
Building/installing and running "ipsec verify" After that commit returns
the following output
root at ip-192-168-100-119:/home/ubuntu# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.master-201544.git (netkey) on 3.13.0-48-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
auth.log has the following error
Nov 1 13:11:13 ip-192-168-100-119 pluto[8648]: reapchild failed with
errno=10 No child processes
syslog has the following error
Nov 1 13:11:13 ip-192-168-100-119 ipsec_starter[8920]: connect(pluto_ctl)
failed: Invalid argument
Any thoughts? Am I doing something wrong?
*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*
<http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>
On Fri, Oct 30, 2015 at 3:34 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 30 Oct 2015, Amir Naftali wrote:
>
> Subject: Re: [Swan] GW To GW IPSec connection between CheckPoint and
>> Libreswan
>>
>> This sounds great, having such a capability will provide a powerful tool
>> supporting an advance set of
>> use cases
>> Is there a way to get an early peek at the patch so I can test it against
>> some use cases that we have
>>
>
> This was pushed:
>
>
> https://github.com/libreswan/libreswan/commit/f0328a91565c7a9951c9bc6b330ab15667e58fcd
>
> Note that the _updown script does not yet actually do any marking.
>
> I need to understand better how that would need to be done and what
> parameters are needed and how this would work well with vti. If anyone
> has suggestions or patches for _updown.netkey, please let me know.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151101/13eede0b/attachment.html>
More information about the Swan
mailing list