[Openswan dev] GW To GW IPSec connection between CheckPoint and openswan

Amir Naftali amir at fortycloud.com
Wed Oct 28 15:14:35 EDT 2015


Hi All

Thank you for supporting this important opensource initiative.

I'm using openswan(2.6.37)/netkey running on an AWS/EC2/Ubuntu/14.04
machine  to connect to a CheckPoint device where the CP device is
configured to establish an SA per GW (as oppose per subnet pair)

This means that the negotiated subnets during IPSec phase that the CP
devices will send and accept are0.0.0.0/0 and 0.0.0.0/0

The connection can be established but once the IPSec phase is complete it
will install xfrm policies that will shutdown communication (src 0.0.0.0/0
 dst 0.0.0.0/0 [in/out/fwd]...)

Since openswan installs xfrm policies automatically I thought to use the
leftupdown option to write a script that manage xfrm policies myself
(basically allow the wildcard to be negotiated during IPSec phase but
afterwards install a more specific xfrm policies so communication will not
shutdown.

My script works fine until IPSec re-key happens, once re-key happens swan
installs an xfrm policy w/o making a call to the leftupdown script I
provide. The new installed xfrm policy is not complete and looks like this
(I call it partial since it only deploy the "out" policy w/o the "in" and
"fwd")

Here is how the partial policy it looks like

src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 3128
tmpl src <my ip> dst <remote ip>
proto esp reqid 16401 mode tunnel

The above policy also shut down my communication to/from the machine.

Here is my connection config...

conn connLG
        connaddrfamily=ipv4
authby=secret
dpdaction=restart_by_peer
dpddelay=30
dpdtimeout=120
forceencaps=yes
ike=aes128-sha1;modp1024
ikelifetime=86400s
keyingtries=3
left=<my ip>
leftid=<mu id>
leftsubnets=0.0.0.0/0
        leftupdown="/etc/ipsec.d/myUpDown.sh"
pfs=yes
phase2alg=aes128-sha1
right=<right ip>
rightid=<right id>
rightsubnets=0.0.0.0/0
salifetime=180s

My questions are:

1) Is this the right way to do it (how else can i connect to a peer device
that negotiates wildcard subnets)?
2) How can I better control xfrm policies (there are more options I would
like to use like mark and using multiple tmpl in the same policy) that are
not supported by openswan?
3) Is the behaviour I described above regarding IPSec re-key and partial
xfrm policy instrumentation is a known issue or am I missing something here
in how it should work?

Will appreciate any response regarding this one

Kind Regards,

*Amir Naftali* | *CTO and Co-Founder | +972 54 497 2622*

<http://www.fortycloud.com/?utm_campaign=amir_email&utm_medium=email&utm_source=signature&utm_content=link&utm_term=amir_sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/dev/attachments/20151028/db901d6e/attachment.html>


More information about the Dev mailing list