[Swan] GW To GW IPSec connection between CheckPoint and Libreswan

Amir Naftali amir at fortycloud.com
Wed Nov 4 09:12:02 UTC 2015


I was able to start pluto but i didn't see the mark in the xfrm policies
once the connection was established

Here is my connection setup


conn connWithMark
  connaddrfamily=ipv4
  auto=add
  left=192.168.100.121
  leftid=<my public>
  leftsubnet=0.0.0.0/0
  rightsubnet=172.16.0.0/016
  rightid=
  right=
  mark=1/1
  forceencaps=yes
  authby=secret
  pfs=yes
  type=tunnel
  ike=aes128-sha1;modp1024
  phase2alg=aes128-sha1;modp1024
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart_by_peer

The connection was established and the xfrm policies are as follows...

src 0.0.0.0/0 dst 172.16.0.0/16
dir out priority 3120
tmpl src 192.168.100.121 dst <dst public ip>
proto esp reqid 16393 mode tunnel
src 172.16.0.0/16 dst 0.0.0.0/0
dir fwd priority 3120
tmpl src <dst public ip> dst 192.168.100.121
proto esp reqid 16393 mode tunnel
src 172.16.0.0/16 dst 0.0.0.0/0
dir in priority 3120
tmpl src <dst public ip> dst 192.168.100.121
proto esp reqid 16393 mode tunnel

I thought i should see the xfrm mark option in the classification

from the ip xfrm man page....

ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ] [ mark MARK [
mask MASK ] ] [ index INDEX ] [ ptype PTYPE ] [ action ACTION ] [ priority
PRIORITY ] [ flag FLAG-LIST ] [ LIMIT-LIST ] [ TMPL-LIST ]

Any feedback will be appreciated

Amir


*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*

<http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>

On Wed, Nov 4, 2015 at 8:30 AM, Amir Naftali <amir at fortycloud.com> wrote:

> excellent, will look into it today
>
> *Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622
> <%2B972%2054%20497%202622>*
>
>
> <http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>
>
> On Wed, Nov 4, 2015 at 6:53 AM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Tue, 3 Nov 2015, Amir Naftali wrote:
>>
>> Up to that commit (not including), running "make build & install" does
>>> the magic and everything works
>>> ok.
>>>
>>
>> Nov  1 13:11:13 ip-192-168-100-119 ipsec_starter[8920]:
>>> connect(pluto_ctl) failed: Invalid argument
>>>
>>>
>> I just pushed a fix to git for this. Let me know if that resolves it for
>> you.
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151104/e354ada3/attachment.html>


More information about the Swan mailing list