[Swan] GW To GW IPSec connection between CheckPoint and Libreswan

Amir Naftali amir at fortycloud.com
Sun Nov 1 13:22:00 UTC 2015


Looks like there is an issue resulting from a delivery that happens 4 days
ago titled "systemd: add socket activation"

I'm running on an ubuntu 14.04 system in EC2/VPC

Up to that commit (not including), running "make build & install" does the
magic and everything works ok.

Building/installing and running "ipsec verify" After that commit returns
the following output

root at ip-192-168-100-119:/home/ubuntu# ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path                    [OK]
Libreswan 3.master-201544.git (netkey) on 3.13.0-48-generic
Checking for IPsec support in kernel               [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects               [OK]
         ICMP default/accept_redirects             [OK]
         XFRM larval drop                          [OK]
Pluto ipsec.conf syntax                            [OK]
Hardware random device                             [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter                                 [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter            [ENABLED]
 /proc/sys/net/ipv4/conf/lo/rp_filter              [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                     [OK]
 Pluto listening for IKE on udp 500                [FAILED]
 Pluto listening for IKE/NAT-T on udp 4500         [DISABLED]
 Pluto ipsec.secret syntax                         [OK]
Checking 'ip' command                              [OK]
Checking 'iptables' command                        [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options           [OK]
Opportunistic Encryption                           [DISABLED]

auth.log has the following error

Nov  1 13:11:13 ip-192-168-100-119 pluto[8648]: reapchild failed with
errno=10 No child processes

syslog has the following error
Nov  1 13:11:13 ip-192-168-100-119 ipsec_starter[8920]: connect(pluto_ctl)
failed: Invalid argument

Any thoughts? Am I doing something wrong?


*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*

<http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>

On Fri, Oct 30, 2015 at 3:34 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 30 Oct 2015, Amir Naftali wrote:
>
> Subject: Re: [Swan] GW To GW IPSec connection between CheckPoint and
>> Libreswan
>>
>> This sounds great, having such a capability will provide a powerful tool
>> supporting an advance set of
>> use cases
>> Is there a way to get an early peek at the patch so I can test it against
>> some use cases that we have
>>
>
> This was pushed:
>
>
> https://github.com/libreswan/libreswan/commit/f0328a91565c7a9951c9bc6b330ab15667e58fcd
>
> Note that the _updown script does not yet actually do any marking.
>
> I need to understand better how that would need to be done and what
> parameters are needed and how this would work well with vti. If anyone
> has suggestions or patches for _updown.netkey, please let me know.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151101/13eede0b/attachment.html>


More information about the Swan mailing list