[Openswan Users] Checkpoint VPN-1 Edge/KLIPS problems (NETKEY works!)
ms at wsap.net
Thu Jan 28 18:22:26 EST 2010
I've been running a Checkpoint Edge X32 Device at home for a long time now,
connecting to my hosted SuSE 10.3 server using SuSEs Openswan-netkey 2.4.7
package. As has been reported, a Checkpoint FW requires its peer to have TWO
tunnels connected to it - one for the peer itself, one for the subnet behind
Because of that, I've been using the following configs (aa=server,
This config has been working FLAWLESSLY 24/7/365 for a couple of years now -
as said, using NETKEY. No problems so far...
...until recently, when I ran into a routing issue (I need to connect to
other networks behind server aa) and figured out I'll have to use KLIPS
instead of NETKEY to achieve this (using the ipsec*-devices only KLIPS
I started by compiling Openswan 2.6.21 on my current SuSE 10.3 kernel
18.104.22.168-0.4-default (make kpatch works without problems, npatch needs some
manual rework but after correcting some stuff from udp.c.rej it compiles
well - or at least seems to :).
If I start it using the above config, no connection comes up (initiate...
and then it stops). Instead, I get funny messages in my /var/log/messages:
Jan 21 23:03:03 aa kernel: martian source aa.aa.aa.aa from bb.bb.bb.bb, on
Jan 21 23:03:03 aa kernel: ll header:
[...multiple repeats follow...]
If I delete (!) the connection to the firewall (local-remote_fw), the
connection between server and subnet gets established and I see the ipsec0
interface, "ipsec eroute" shows the tunnels and I can even ping between
server and subnet.
Unfortunately, this connection has the same known problem I had before I
knew I need a second one:
Jan 21 22:10:03 aa pluto: "local-remote" #23: the peer proposed:
aa.aa.aa.aa/32:0/0 -> bb.bb.bb.bb/32:0/0
Jan 21 22:10:03 aa pluto: "local-remote" #23: cannot respond to IPsec
SA request because no connection is known for
Jan 21 22:10:03 aa pluto: "local-remote" #23: sending encrypted
notification INVALID_ID_INFORMATION to bb.bb.bb.bb:500
Getting notified, my Checkpoint closes the connection every minute or so
because it thinks the connection is broken (if this didn't cause
interruptions every time, I'd probably just live with it).
Remarkably, the above behaviour only shows up using KLIPS and NOT using
My QUESTION: How can I install a second conn between the peers without
risking my whole traffic getting dropped? How can I investigate further?
Alternatively, how can I route from the 192.168.234.0/24-subnet behind
bb.bb.bb.bb via aa.aa.aa.aa to another VPN connected to aa.aa.aa.aa without
using KLIPS? Is this possible at all?
Any hint is greatly appreciated!
PS: I've reworked my configuration which now looks like this but should work
the same way as the one above:
If I put the second subnet
into it, it shows the same behaviour ("martian packets") as the config
More information about the Users