<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>If your enpoints are on static IP, you should put a type=passthrough in with left/right set to those IP addresses. That will exclude them from being caught in the 0/0, because passthrough has a higher priority.</div><div id="AppleMailSignature"><br>Sent from my iPhone</div><div><br>On Oct 28, 2015, at 15:57, Amir Naftali <<a href="mailto:amir@fortycloud.com">amir@fortycloud.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div>Hi All</div><div><br></div><div>Thank you for supporting this important opensource initiative. </div><div><br></div><div>I'm using libreswan(3.15)/netkey running on an AWS/EC2/Ubuntu/14.04 machine to connect to a CheckPoint device where the CP device is configured to establish an SA per GW (as oppose per subnet pair)</div><div><br></div><div>This means that the negotiated subnets during IPSec phase that the CP devices will send and accept are <a href="http://0.0.0.0/0">0.0.0.0/0</a> and <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><br></div><div>The connection can be established but once the IPSec phase is complete it will install xfrm policies that will shutdown communication (src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> [in/out/fwd]...)</div><div><br></div><div>Since libreswan installs xfrm policies automatically I thought to use the leftupdown option to write a script that manage xfrm policies myself (basically allow the wildcard to be negotiated during IPSec phase but afterwards install a more specific xfrm policies so communication will not shutdown.</div><div><br></div><div>My script works fine until IPSec re-key happens, once re-key happens swan installs an xfrm policy w/o making a call to the leftupdown script I provide. The new installed xfrm policy is not complete and looks like this (I call it partial since it only deploy the "out" policy w/o the "in" and "fwd") </div><div><br></div><div>Here is how the partial policy it looks like </div><div><br></div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>dir out priority 3128</div><div><span class="" style="white-space:pre"> </span>tmpl src <my ip> dst <remote ip></div><div><span class="" style="white-space:pre"> </span>proto esp reqid 16401 mode tunnel </div><div><br></div><div>The above policy also shut down my communication to/from the machine.</div><div><br></div><div>Here is my connection config...</div><div><br></div><div><div>conn connLG</div><div> connaddrfamily=ipv4</div><div><span class="" style="white-space:pre"> </span>authby=secret</div><div><span class="" style="white-space:pre"> </span>dpdaction=restart_by_peer</div><div><span class="" style="white-space:pre"> </span>dpddelay=30</div><div><span class="" style="white-space:pre"> </span>dpdtimeout=120</div><div><span class="" style="white-space:pre"> </span>forceencaps=yes</div><div><span class="" style="white-space:pre"> </span>ike=aes128-sha1;modp1024</div><div><span class="" style="white-space:pre"> </span>ikelifetime=86400s</div><div><span class="" style="white-space:pre"> </span>keyingtries=3</div><div><span class="" style="white-space:pre"> </span>left=<my ip></div><div><span class="" style="white-space:pre"> </span>leftid=<mu id></div><div><span class="" style="white-space:pre"> </span>leftsubnets=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> leftupdown="/etc/ipsec.d/myUpDown.sh"</div><div><span class="" style="white-space:pre"> </span>pfs=yes</div><div><span class="" style="white-space:pre"> </span>phase2alg=aes128-sha1</div><div><span class="" style="white-space:pre"> </span>right=<right ip></div><div><span class="" style="white-space:pre"> </span>rightid=<right id></div><div><span class="" style="white-space:pre"> </span>rightsubnets=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>salifetime=180s</div></div><div><br></div><div>My questions are:</div><div><br></div><div>1) Is this the right way to do it (how else can i connect to a peer device that negotiates wildcard subnets)?</div><div>2) How can I better control xfrm policies (there are more options I would like to use like mark and using multiple tmpl in the same policy) that are not supported by libreswan?</div><div>3) Is the <span style="line-height:19.2px">behaviour</span> I described above regarding IPSec re-key and partial xfrm policy instrumentation is a known issue or am I missing something here in how it should work?</div><div><br></div><div>Will appreciate any response regarding this one</div><div> </div><div>Kind Regards,</div><div><br></div><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="color:rgb(0,0,0)"><div style="color:rgb(136,136,136);font-size:12.8px"><b><font color="#000000"><span>Amir</span> Naftali</font></b> | <b><font face="arial, helvetica, sans-serif"><font color="#0000ff">CTO and Co-Founder</font> | </font>+972 54 497 2622</b></div><div style="color:rgb(136,136,136);font-size:12.8px"><br></div><div style="color:rgb(136,136,136);font-size:12.8px"><a href="http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig" style="color:rgb(0,0,255);font-family:'Courier New';font-size:14px;line-height:21px" target="_blank"><img align="none" height="37" src="https://gallery.mailchimp.com/805c65e3dbe647f677fe8ee38/images/bde29e88-9385-4f4b-ae97-60c704de1547.png" width="200" alt="" style="width: 200px; min-height: 37px; margin: 0px;"></a><br></div></div></div></div></div></div></div>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></body></html>