[Swan] GW To GW IPSec connection between CheckPoint and Libreswan
Amir Naftali
amir at fortycloud.com
Mon Nov 2 12:01:34 UTC 2015
i think it's upstart
/home/ubuntu# /sbin/init --version
init (upstart 1.5)
Copyright (C) 2012 Scott James Remnant, Canonical Ltd.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*
<http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>
On Sun, Nov 1, 2015 at 11:46 PM, Paul Wouters <paul at nohats.ca> wrote:
> I'll check what's going on. Is that install of Ubuntu using systemd?
>
> Sent from my iPhone
>
> On Nov 1, 2015, at 22:22, Amir Naftali <amir at fortycloud.com> wrote:
>
> Looks like there is an issue resulting from a delivery that happens 4 days
> ago titled "systemd: add socket activation"
>
> I'm running on an ubuntu 14.04 system in EC2/VPC
>
> Up to that commit (not including), running "make build & install" does the
> magic and everything works ok.
>
> Building/installing and running "ipsec verify" After that commit returns
> the following output
>
> root at ip-192-168-100-119:/home/ubuntu# ipsec verify
>
> Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 3.master-201544.git (netkey) on 3.13.0-48-generic
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [OK]
> ICMP default/accept_redirects [OK]
> XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Hardware random device [N/A]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
> rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [FAILED]
> Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
> Pluto ipsec.secret syntax [OK]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking 'prelink' command does not interfere with FIPSChecking for
> obsolete ipsec.conf options [OK]
> Opportunistic Encryption [DISABLED]
>
> auth.log has the following error
>
> Nov 1 13:11:13 ip-192-168-100-119 pluto[8648]: reapchild failed with
> errno=10 No child processes
>
> syslog has the following error
> Nov 1 13:11:13 ip-192-168-100-119 ipsec_starter[8920]: connect(pluto_ctl)
> failed: Invalid argument
>
> Any thoughts? Am I doing something wrong?
>
>
> *Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622
> <%2B972%2054%20497%202622>*
>
>
> <http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>
>
> On Fri, Oct 30, 2015 at 3:34 PM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Fri, 30 Oct 2015, Amir Naftali wrote:
>>
>> Subject: Re: [Swan] GW To GW IPSec connection between CheckPoint and
>>> Libreswan
>>>
>>> This sounds great, having such a capability will provide a powerful tool
>>> supporting an advance set of
>>> use cases
>>> Is there a way to get an early peek at the patch so I can test it
>>> against some use cases that we have
>>>
>>
>> This was pushed:
>>
>>
>> https://github.com/libreswan/libreswan/commit/f0328a91565c7a9951c9bc6b330ab15667e58fcd
>>
>> Note that the _updown script does not yet actually do any marking.
>>
>> I need to understand better how that would need to be done and what
>> parameters are needed and how this would work well with vti. If anyone
>> has suggestions or patches for _updown.netkey, please let me know.
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151102/a1cade6e/attachment.html>
More information about the Swan
mailing list