[Swan] GW To GW IPSec connection between CheckPoint and Libreswan

Paul Wouters paul at nohats.ca
Sun Nov 1 21:46:18 UTC 2015 

I'll check what's going on. Is that install of Ubuntu using systemd?

Sent from my iPhone

> On Nov 1, 2015, at 22:22, Amir Naftali <amir at fortycloud.com> wrote:
> 
> Looks like there is an issue resulting from a delivery that happens 4 days ago titled "systemd: add socket activation" 
> 
> I'm running on an ubuntu 14.04 system in EC2/VPC
> 
> Up to that commit (not including), running "make build & install" does the magic and everything works ok.
> 
> Building/installing and running "ipsec verify" After that commit returns the following output
> 
> root at ip-192-168-100-119:/home/ubuntu# ipsec verify
> 
> Verifying installed system and configuration files
> 
> Version check and ipsec on-path                   	[OK]
> Libreswan 3.master-201544.git (netkey) on 3.13.0-48-generic
> Checking for IPsec support in kernel              	[OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default/send_redirects              	[OK]
>          ICMP default/accept_redirects            	[OK]
>          XFRM larval drop                         	[OK]
> Pluto ipsec.conf syntax                           	[OK]
> Hardware random device                            	[N/A]
> Two or more interfaces found, checking IP forwarding	[OK]
> Checking rp_filter                                	[ENABLED]
>  /proc/sys/net/ipv4/conf/eth0/rp_filter           	[ENABLED]
>  /proc/sys/net/ipv4/conf/lo/rp_filter             	[ENABLED]
>   rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running                    	[OK]
>  Pluto listening for IKE on udp 500               	[FAILED]
>  Pluto listening for IKE/NAT-T on udp 4500        	[DISABLED]
>  Pluto ipsec.secret syntax                        	[OK]
> Checking 'ip' command                             	[OK]
> Checking 'iptables' command                       	[OK]
> Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options          	[OK]
> Opportunistic Encryption                          	[DISABLED]
>  
> auth.log has the following error
> 
> Nov  1 13:11:13 ip-192-168-100-119 pluto[8648]: reapchild failed with errno=10 No child processes
> 
> syslog has the following error
> Nov  1 13:11:13 ip-192-168-100-119 ipsec_starter[8920]: connect(pluto_ctl) failed: Invalid argument
> 
> Any thoughts? Am I doing something wrong?
> 
> 
> Amir Naftali | CTO and Co-Founder | +972 54 497 2622
> 
> 
> 
>> On Fri, Oct 30, 2015 at 3:34 PM, Paul Wouters <paul at nohats.ca> wrote:
>> On Fri, 30 Oct 2015, Amir Naftali wrote:
>> 
>>> Subject: Re: [Swan] GW To GW IPSec connection between CheckPoint and Libreswan
>>> 
>>> This sounds great, having such a capability will provide a powerful tool supporting an advance set of
>>> use cases
>>> Is there a way to get an early peek at the patch so I can test it against some use cases that we have
>> 
>> This was pushed:
>> 
>> https://github.com/libreswan/libreswan/commit/f0328a91565c7a9951c9bc6b330ab15667e58fcd
>> 
>> Note that the _updown script does not yet actually do any marking.
>> 
>> I need to understand better how that would need to be done and what
>> parameters are needed and how this would work well with vti. If anyone
>> has suggestions or patches for _updown.netkey, please let me know.
>> 
>> Paul
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151102/943c6208/attachment-0001.html>

More information about the Swan mailing list