This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PAS-HQ
Explorer
‎2022-11-07 10:37 AM
Jump to solution

Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

Hello,
Could someone please help me to configure an IPSec Site-to-Site VPN between CheckPoint and an Ubuntu server with Strongswan?
I already configured all the parameters in Strongswan and ipsec.conf and ipsec.secrets, but the connection in
phase 1 of both sides. All help is welcome. Cheers

 

### ipsec.conf

 

config setup
charondebug="all"
uniqueids=no
strictcrlpolicy=no

# connection to Bank Server Santander datacenter
conn vpn_siscar
# conn ikev2-vpn
closeaction=restart
authby=secret
left=%defaultroute
leftsubnet=10.8.0.0/16
right=X.X.X.X #RemotePublic IP
type=tunnel
rightsubnet=180.97.92.0/25,180.97.93.0/25,180.130.16.0/24,180.175.165.0/24,180.176.77.205/32,180.176.77.206/32,180.176.77.207/32,180.176.77.208/32,180.176.77.209/32
aggressive=yes
ike=aes256-sha256-ecp256!
esp=aes256-sha256-ecp256!
keyexchange=ikev2
leftauth=psk
rightauth=psk
leftsourceip=%config
keyingtries=%forever
ikelifetime=10800s
lifetime=86400s
rightid=%any
dpddelay=30s
dpdtimeout=1440m
dpdaction=restart
auto=route
margintime=9m
forceencaps=yes
# strictcrlpolicy=yes
# uniqueids = no

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-11-08 05:56 AM
In response to PAS-HQ
Jump to solution

As noted above, StrongSWAN is supported on R81 and above gateways.
It is not supported on R77.30, which has been End of Support for a few years now.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2022-11-07 01:30 PM
Jump to solution

What is the precise version/JHF of the gateway you are connecting to?
Strongswan requires R81 and above and it requires specific configuration on the gateway to support.

0 Kudos
PAS-HQ
Explorer
‎2022-11-07 02:20 PM
In response to PhoneBoy
Jump to solution

Thank you PhoneBoy for your quick response, I am getting the information from the CheckPoint equipment, the Strongswan version I am using is 5.8.2

Cheers

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-11-08 05:16 AM
In response to PAS-HQ
Jump to solution

Val is right, version is totally out of support, so dont bother calling TAC, they wont help. Message me privately, happy to do remote and see if I can help you out. One thing I would check is if there are any modifications made previously on user.def file on the management. I believe thats where those would have been made back in R77.30...not saying that is the case, but worth checking.

Best,
Andy
PhoneBoy
Admin
Admin
‎2022-11-08 07:32 AM
In response to the_rock
Jump to solution

We had to add specific support for Strongswan--it won't work out of the box.
The first version we had it in was a private build of R80.x.
Having said that, someone figured out how to get it working in R80.30 here: https://community.checkpoint.com/t5/Remote-Access-VPN/C2S-strongSwan-Roadwarrior-and-R80-30-working/... 
However, there are enough changes between R77.30 and R80.30 that I don't expect the same procedure to work on R77.30.

0 Kudos
PAS-HQ
Explorer
‎2022-11-08 09:58 AM
In response to the_rock
Jump to solution

the_rock,

thanks for the information

0 Kudos
PAS-HQ
Explorer
‎2022-11-07 02:30 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

These are the Chekpoing data:

VSX CHECKPOINT R77.30

Regards

0 Kudos
_Val_
Admin
Admin
‎2022-11-08 05:09 AM
In response to PAS-HQ
Jump to solution

This version is out of support for ages now...

0 Kudos
PAS-HQ
Explorer
‎2022-11-08 09:56 AM
In response to _Val_
Jump to solution

thanks for the information _Val_

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-08 05:56 AM
In response to PAS-HQ
Jump to solution

As noted above, StrongSWAN is supported on R81 and above gateways.
It is not supported on R77.30, which has been End of Support for a few years now.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-11-07 03:56 PM
Jump to solution

This is the 1st time I hear about strongswan, so wont even pretend to help there : - ). As far as CP though, you can run a basic debug and see what you get. From expert mode of the fw:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

Check ike.elg and vpnd.elg file in $FWDIR/log directory

If phase 1 fails, then that clearly tells us (no matter what vendor we are dealing with) that something with encryption algorithms is mismatched on both sides.

Andy

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2022-11-09 04:54 AM
Jump to solution

You can try this, but I cannot give any guarantee due the EOL software. And also Strongswan is a pain to build a tunnel with. 

Also this setting below will not help you anymore in newer versions then you need to follow up advise from PhoneBoy

 

This setting only for old software:

> # fw ctl set int strongswan_bug_workaround 1>> Note: this command does not survive a reboot.>> In case it resolves the issue, the parameter can be set to survive reboot by modifying the file: $FWDIR/modules/vpnkern.conf> and adding the following line:>> strongswan_bug_workaround=1>> Note: if the file does not exist, create it.>> With the flag on, the Security Gateway only store new keys if they are re-keys of existing ones (or if there are no existing ones).> Note that this flag is relevant to IKEv2 only.

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events