topic Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan in SASE and Remote Access

Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PAS-HQ — Mon, 07 Nov 2022 18:37:47 GMT

Hello,
Could someone please help me to configure an IPSec Site-to-Site VPN between CheckPoint and an Ubuntu server with Strongswan?
I already configured all the parameters in Strongswan and ipsec.conf and ipsec.secrets, but the connection in
phase 1 of both sides. All help is welcome. Cheers

### ipsec.conf

config setup
charondebug="all"
uniqueids=no
strictcrlpolicy=no

# connection to Bank Server Santander datacenter
conn vpn_siscar
# conn ikev2-vpn
closeaction=restart
authby=secret
left=%defaultroute
leftsubnet=10.8.0.0/16
right=X.X.X.X #RemotePublic IP
type=tunnel
rightsubnet=180.97.92.0/25,180.97.93.0/25,180.130.16.0/24,180.175.165.0/24,180.176.77.205/32,180.176.77.206/32,180.176.77.207/32,180.176.77.208/32,180.176.77.209/32
aggressive=yes
ike=aes256-sha256-ecp256!
esp=aes256-sha256-ecp256!
keyexchange=ikev2
leftauth=psk
rightauth=psk
leftsourceip=%config
keyingtries=%forever
ikelifetime=10800s
lifetime=86400s
rightid=%any
dpddelay=30s
dpdtimeout=1440m
dpdaction=restart
auto=route
margintime=9m
forceencaps=yes
# strictcrlpolicy=yes
# uniqueids = no

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PhoneBoy — Mon, 07 Nov 2022 21:30:11 GMT

What is the precise version/JHF of the gateway you are connecting to?
Strongswan requires R81 and above and it requires specific configuration on the gateway to support.

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PAS-HQ — Mon, 07 Nov 2022 22:20:46 GMT

Thank you PhoneBoy for your quick response, I am getting the information from the CheckPoint equipment, the Strongswan version I am using is 5.8.2

Cheers

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PAS-HQ — Mon, 07 Nov 2022 22:30:57 GMT

Hi PhoneBoy,

These are the Chekpoing data:

VSX CHECKPOINT R77.30

Regards

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

the_rock — Mon, 07 Nov 2022 23:56:42 GMT

This is the 1st time I hear about strongswan, so wont even pretend to help there : - ). As far as CP though, you can run a basic debug and see what you get. From expert mode of the fw:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

Check ike.elg and vpnd.elg file in $FWDIR/log directory

If phase 1 fails, then that clearly tells us (no matter what vendor we are dealing with) that something with encryption algorithms is mismatched on both sides.

Andy

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

_Val_ — Tue, 08 Nov 2022 13:09:42 GMT

This version is out of support for ages now...

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

the_rock — Tue, 08 Nov 2022 13:16:35 GMT

Val is right, version is totally out of support, so dont bother calling TAC, they wont help. Message me privately, happy to do remote and see if I can help you out. One thing I would check is if there are any modifications made previously on user.def file on the management. I believe thats where those would have been made back in R77.30...not saying that is the case, but worth checking.

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PhoneBoy — Tue, 08 Nov 2022 13:56:14 GMT

As noted above, StrongSWAN is supported on R81 and above gateways.
It is not supported on R77.30, which has been End of Support for a few years now.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk165014&partition=Basic&product=IPSec

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PhoneBoy — Tue, 08 Nov 2022 15:32:53 GMT

We had to add specific support for Strongswan--it won't work out of the box.
The first version we had it in was a private build of R80.x.
Having said that, someone figured out how to get it working in R80.30 here: https://community.checkpoint.com/t5/Remote-Access-VPN/C2S-strongSwan-Roadwarrior-and-R80-30-working/m-p/67619#M2157
However, there are enough changes between R77.30 and R80.30 that I don't expect the same procedure to work on R77.30.

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PAS-HQ — Tue, 08 Nov 2022 17:56:31 GMT

thanks for the information _Val_

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

PAS-HQ — Tue, 08 Nov 2022 17:58:08 GMT

the_rock,

thanks for the information

Re: Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

Lesley — Wed, 09 Nov 2022 12:54:05 GMT

You can try this, but I cannot give any guarantee due the EOL software. And also Strongswan is a pain to build a tunnel with.

Also this setting below will not help you anymore in newer versions then you need to follow up advise from PhoneBoy

This setting only for old software:

> # fw ctl set int strongswan_bug_workaround 1>> Note: this command does not survive a reboot.>> In case it resolves the issue, the parameter can be set to survive reboot by modifying the file: $FWDIR/modules/vpnkern.conf> and adding the following line:>> strongswan_bug_workaround=1>> Note: if the file does not exist, create it.>> With the flag on, the Security Gateway only store new keys if they are re-keys of existing ones (or if there are no existing ones).> Note that this flag is relevant to IKEv2 only.