Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PAS-HQ
Explorer
Jump to solution

Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

Hello,
Could someone please help me to configure an IPSec Site-to-Site VPN between CheckPoint and an Ubuntu server with Strongswan?
I already configured all the parameters in Strongswan and ipsec.conf and ipsec.secrets, but the connection in
phase 1 of both sides. All help is welcome. Cheers

 

### ipsec.conf

 

config setup
charondebug="all"
uniqueids=no
strictcrlpolicy=no

# connection to Bank Server Santander datacenter
conn vpn_siscar
# conn ikev2-vpn
closeaction=restart
authby=secret
left=%defaultroute
leftsubnet=10.8.0.0/16
right=X.X.X.X #RemotePublic IP
type=tunnel
rightsubnet=180.97.92.0/25,180.97.93.0/25,180.130.16.0/24,180.175.165.0/24,180.176.77.205/32,180.176.77.206/32,180.176.77.207/32,180.176.77.208/32,180.176.77.209/32
aggressive=yes
ike=aes256-sha256-ecp256!
esp=aes256-sha256-ecp256!
keyexchange=ikev2
leftauth=psk
rightauth=psk
leftsourceip=%config
keyingtries=%forever
ikelifetime=10800s
lifetime=86400s
rightid=%any
dpddelay=30s
dpdtimeout=1440m
dpdaction=restart
auto=route
margintime=9m
forceencaps=yes
# strictcrlpolicy=yes
# uniqueids = no

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

As noted above, StrongSWAN is supported on R81 and above gateways.
It is not supported on R77.30, which has been End of Support for a few years now.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

What is the precise version/JHF of the gateway you are connecting to?
Strongswan requires R81 and above and it requires specific configuration on the gateway to support.

0 Kudos
PAS-HQ
Explorer

Thank you PhoneBoy for your quick response, I am getting the information from the CheckPoint equipment, the Strongswan version I am using is 5.8.2

Cheers

0 Kudos
the_rock
MVP Gold
MVP Gold

Val is right, version is totally out of support, so dont bother calling TAC, they wont help. Message me privately, happy to do remote and see if I can help you out. One thing I would check is if there are any modifications made previously on user.def file on the management. I believe thats where those would have been made back in R77.30...not saying that is the case, but worth checking.

PhoneBoy
Admin
Admin

We had to add specific support for Strongswan--it won't work out of the box.
The first version we had it in was a private build of R80.x.
Having said that, someone figured out how to get it working in R80.30 here: https://community.checkpoint.com/t5/Remote-Access-VPN/C2S-strongSwan-Roadwarrior-and-R80-30-working/... 
However, there are enough changes between R77.30 and R80.30 that I don't expect the same procedure to work on R77.30.

0 Kudos
PAS-HQ
Explorer

the_rock,

thanks for the information

0 Kudos
PAS-HQ
Explorer

Hi PhoneBoy,

These are the Chekpoing data:

VSX CHECKPOINT R77.30

Regards

0 Kudos
_Val_
Admin
Admin

This version is out of support for ages now...

0 Kudos
PAS-HQ
Explorer

thanks for the information _Val_

0 Kudos
PhoneBoy
Admin
Admin

As noted above, StrongSWAN is supported on R81 and above gateways.
It is not supported on R77.30, which has been End of Support for a few years now.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
the_rock
MVP Gold
MVP Gold

This is the 1st time I hear about strongswan, so wont even pretend to help there : - ). As far as CP though, you can run a basic debug and see what you get. From expert mode of the fw:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

Check ike.elg and vpnd.elg file in $FWDIR/log directory

If phase 1 fails, then that clearly tells us (no matter what vendor we are dealing with) that something with encryption algorithms is mismatched on both sides.

Andy

0 Kudos
Lesley
MVP Gold
MVP Gold

You can try this, but I cannot give any guarantee due the EOL software. And also Strongswan is a pain to build a tunnel with. 

Also this setting below will not help you anymore in newer versions then you need to follow up advise from PhoneBoy

 

This setting only for old software:

> # fw ctl set int strongswan_bug_workaround 1>> Note: this command does not survive a reboot.>> In case it resolves the issue, the parameter can be set to survive reboot by modifying the file: $FWDIR/modules/vpnkern.conf> and adding the following line:>> strongswan_bug_workaround=1>> Note: if the file does not exist, create it.>> With the flag on, the Security Gateway only store new keys if they are re-keys of existing ones (or if there are no existing ones).> Note that this flag is relevant to IKEv2 only.

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events