[Swan] GW To GW IPSec connection between CheckPoint and Libreswan

Amir Naftali amir at fortycloud.com
Mon Nov 2 12:01:34 UTC 2015


i think it's upstart

/home/ubuntu# /sbin/init --version
init (upstart 1.5)
Copyright (C) 2012 Scott James Remnant, Canonical Ltd.

This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*

<http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>

On Sun, Nov 1, 2015 at 11:46 PM, Paul Wouters <paul at nohats.ca> wrote:

> I'll check what's going on. Is that install of Ubuntu using systemd?
>
> Sent from my iPhone
>
> On Nov 1, 2015, at 22:22, Amir Naftali <amir at fortycloud.com> wrote:
>
> Looks like there is an issue resulting from a delivery that happens 4 days
> ago titled "systemd: add socket activation"
>
> I'm running on an ubuntu 14.04 system in EC2/VPC
>
> Up to that commit (not including), running "make build & install" does the
> magic and everything works ok.
>
> Building/installing and running "ipsec verify" After that commit returns
> the following output
>
> root at ip-192-168-100-119:/home/ubuntu# ipsec verify
>
> Verifying installed system and configuration files
>
> Version check and ipsec on-path                    [OK]
> Libreswan 3.master-201544.git (netkey) on 3.13.0-48-generic
> Checking for IPsec support in kernel               [OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default/send_redirects               [OK]
>          ICMP default/accept_redirects             [OK]
>          XFRM larval drop                          [OK]
> Pluto ipsec.conf syntax                            [OK]
> Hardware random device                             [N/A]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter                                 [ENABLED]
>  /proc/sys/net/ipv4/conf/eth0/rp_filter            [ENABLED]
>  /proc/sys/net/ipv4/conf/lo/rp_filter              [ENABLED]
>   rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running                     [OK]
>  Pluto listening for IKE on udp 500                [FAILED]
>  Pluto listening for IKE/NAT-T on udp 4500         [DISABLED]
>  Pluto ipsec.secret syntax                         [OK]
> Checking 'ip' command                              [OK]
> Checking 'iptables' command                        [OK]
> Checking 'prelink' command does not interfere with FIPSChecking for
> obsolete ipsec.conf options           [OK]
> Opportunistic Encryption                           [DISABLED]
>
> auth.log has the following error
>
> Nov  1 13:11:13 ip-192-168-100-119 pluto[8648]: reapchild failed with
> errno=10 No child processes
>
> syslog has the following error
> Nov  1 13:11:13 ip-192-168-100-119 ipsec_starter[8920]: connect(pluto_ctl)
> failed: Invalid argument
>
> Any thoughts? Am I doing something wrong?
>
>
> *Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622
> <%2B972%2054%20497%202622>*
>
>
> <http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>
>
> On Fri, Oct 30, 2015 at 3:34 PM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Fri, 30 Oct 2015, Amir Naftali wrote:
>>
>> Subject: Re: [Swan] GW To GW IPSec connection between CheckPoint and
>>> Libreswan
>>>
>>> This sounds great, having such a capability will provide a powerful tool
>>> supporting an advance set of
>>> use cases
>>> Is there a way to get an early peek at the patch so I can test it
>>> against some use cases that we have
>>>
>>
>> This was pushed:
>>
>>
>> https://github.com/libreswan/libreswan/commit/f0328a91565c7a9951c9bc6b330ab15667e58fcd
>>
>> Note that the _updown script does not yet actually do any marking.
>>
>> I need to understand better how that would need to be done and what
>> parameters are needed and how this would work well with vti. If anyone
>> has suggestions or patches for _updown.netkey, please let me know.
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151102/a1cade6e/attachment.html>


More information about the Swan mailing list