[Openswan Users] Checkpoint VPN-1 Edge/KLIPS problems (NETKEY works!)

Thu Jan 28 18:22:26 EST 2010

Hi everybody,

I've been running a Checkpoint Edge X32 Device at home for a long time now,
connecting to my hosted SuSE 10.3 server using SuSEs Openswan-netkey 2.4.7
package. As has been reported, a Checkpoint FW requires its peer to have TWO
tunnels connected to it - one for the peer itself, one for the subnet behind
it.
Because of that, I've been using the following configs (aa=server,
bb=Checkpoint peer):

conn local-remote_fw
        authby=secret
        esp=aes256-sha1-1536
        ike=aes256-sha-modp1536
        left=aa.aa.aa.aa
        right=bb.bb.bb.bb
        rightsubnet=bb.bb.bb.bb/32
        pfs=yes
        auto=start

conn local-remote_net
        authby=secret
        esp=aes256-sha1-1536
        ike=aes256-sha-modp1536
        left=aa.aa.aa.aa
        right=bb.bb.bb.bb
        rightsubnet=192.168.234.0/24
        pfs=yes
        auto=start

This config has been working FLAWLESSLY 24/7/365 for a couple of years now -
as said, using NETKEY. No problems so far...

...until recently, when I ran into a routing issue (I need to connect to
other networks behind server aa) and figured out I'll have to use KLIPS
instead of NETKEY to achieve this (using the ipsec*-devices only KLIPS
provides).

I started by compiling Openswan 2.6.21 on my current SuSE 10.3 kernel
2.6.22.19-0.4-default (make kpatch works without problems, npatch needs some
manual rework but after correcting some stuff from udp.c.rej it compiles
well - or at least seems to :).

If I start it using the above config, no connection comes up (initiate...
and then it stops). Instead, I get funny messages in  my /var/log/messages:

Jan 21 23:03:03 aa kernel: martian source aa.aa.aa.aa from bb.bb.bb.bb, on
dev eth0
Jan 21 23:03:03 aa kernel: ll header:
00:05:62:6d:b1:35:00:12:5e:f3:81:00:09:00
[...multiple repeats follow...]

If I delete (!) the connection to the firewall (local-remote_fw), the
connection between server and subnet gets established and I see the ipsec0
interface, "ipsec eroute" shows the tunnels and I can even ping between
server and subnet.

Unfortunately, this connection has the same known problem I had before I
knew I need a second one:

/var/log/ipsec
Jan 21 22:10:03 aa pluto[9429]: "local-remote" #23: the peer proposed:
aa.aa.aa.aa/32:0/0 -> bb.bb.bb.bb/32:0/0
Jan 21 22:10:03 aa pluto[9429]: "local-remote" #23: cannot respond to IPsec
SA request because no connection is known for
aa.aa.aa.aa<aa.aa.aa.aa>[+S=C]...bb.bb.bb.bb<bb.bb.bb.bb>[+S=C]
Jan 21 22:10:03 aa pluto[9429]: "local-remote" #23: sending encrypted
notification INVALID_ID_INFORMATION to bb.bb.bb.bb:500

Getting notified, my Checkpoint closes the connection every minute or so
because it thinks the connection is broken (if this didn't cause
interruptions every time, I'd probably just live with it).

Remarkably, the above behaviour only shows up using KLIPS and NOT using
NETKEY!

My QUESTION: How can I install a second conn between the peers without
risking my whole traffic getting dropped? How can I investigate further?
Alternatively, how can I route from the 192.168.234.0/24-subnet behind
bb.bb.bb.bb via aa.aa.aa.aa to another VPN connected to aa.aa.aa.aa without
using KLIPS? Is this possible at all?

Any hint is greatly appreciated!

Cheers,
Martin.

PS: I've reworked my configuration which now looks like this but should work
the same way as the one above:

conn local-remote
        authby=secret
        ike=aes256-sha-modp1536
        phase2=esp
        phase2alg=aes256-sha1;modp1536
        left=aa.aa.aa.aa
        leftsubnets={aa.aa.aa.aa/32}
        right=bb.bb.bb.bb
        rightsubnets={192.168.234.0/24}
        pfs=yes
        auto=start

If I put the second subnet
        rightsubnets={192.168.234.0/24 bb.bb.bb.bb/32}
into it, it shows the same behaviour ("martian packets") as the config
above.