[Openswan dev] GW To GW IPSec connection between CheckPoint and openswan
amir at fortycloud.com
Wed Oct 28 15:14:35 EDT 2015
Thank you for supporting this important opensource initiative.
I'm using openswan(2.6.37)/netkey running on an AWS/EC2/Ubuntu/14.04
machine to connect to a CheckPoint device where the CP device is
configured to establish an SA per GW (as oppose per subnet pair)
This means that the negotiated subnets during IPSec phase that the CP
devices will send and accept are0.0.0.0/0 and 0.0.0.0/0
The connection can be established but once the IPSec phase is complete it
will install xfrm policies that will shutdown communication (src 0.0.0.0/0
dst 0.0.0.0/0 [in/out/fwd]...)
Since openswan installs xfrm policies automatically I thought to use the
leftupdown option to write a script that manage xfrm policies myself
(basically allow the wildcard to be negotiated during IPSec phase but
afterwards install a more specific xfrm policies so communication will not
My script works fine until IPSec re-key happens, once re-key happens swan
installs an xfrm policy w/o making a call to the leftupdown script I
provide. The new installed xfrm policy is not complete and looks like this
(I call it partial since it only deploy the "out" policy w/o the "in" and
Here is how the partial policy it looks like
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 3128
tmpl src <my ip> dst <remote ip>
proto esp reqid 16401 mode tunnel
The above policy also shut down my communication to/from the machine.
Here is my connection config...
My questions are:
1) Is this the right way to do it (how else can i connect to a peer device
that negotiates wildcard subnets)?
2) How can I better control xfrm policies (there are more options I would
like to use like mark and using multiple tmpl in the same policy) that are
not supported by openswan?
3) Is the behaviour I described above regarding IPSec re-key and partial
xfrm policy instrumentation is a known issue or am I missing something here
in how it should work?
Will appreciate any response regarding this one
*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev