Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PAS-HQ
Explorer
Jump to solution

Problems with conection between Checkpoint and an Ubuntu Server with Strongswan

Hello,
Could someone please help me to configure an IPSec Site-to-Site VPN between CheckPoint and an Ubuntu server with Strongswan?
I already configured all the parameters in Strongswan and ipsec.conf and ipsec.secrets, but the connection in
phase 1 of both sides. All help is welcome. Cheers

 

### ipsec.conf

 

config setup
charondebug="all"
uniqueids=no
strictcrlpolicy=no

# connection to Bank Server Santander datacenter
conn vpn_siscar
# conn ikev2-vpn
closeaction=restart
authby=secret
left=%defaultroute
leftsubnet=10.8.0.0/16
right=X.X.X.X #RemotePublic IP
type=tunnel
rightsubnet=180.97.92.0/25,180.97.93.0/25,180.130.16.0/24,180.175.165.0/24,180.176.77.205/32,180.176.77.206/32,180.176.77.207/32,180.176.77.208/32,180.176.77.209/32
aggressive=yes
ike=aes256-sha256-ecp256!
esp=aes256-sha256-ecp256!
keyexchange=ikev2
leftauth=psk
rightauth=psk
leftsourceip=%config
keyingtries=%forever
ikelifetime=10800s
lifetime=86400s
rightid=%any
dpddelay=30s
dpdtimeout=1440m
dpdaction=restart
auto=route
margintime=9m
forceencaps=yes
# strictcrlpolicy=yes
# uniqueids = no

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

As noted above, StrongSWAN is supported on R81 and above gateways.
It is not supported on R77.30, which has been End of Support for a few years now.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

What is the precise version/JHF of the gateway you are connecting to?
Strongswan requires R81 and above and it requires specific configuration on the gateway to support.

0 Kudos
PAS-HQ
Explorer

Thank you PhoneBoy for your quick response, I am getting the information from the CheckPoint equipment, the Strongswan version I am using is 5.8.2

Cheers

0 Kudos
the_rock
Legend
Legend

Val is right, version is totally out of support, so dont bother calling TAC, they wont help. Message me privately, happy to do remote and see if I can help you out. One thing I would check is if there are any modifications made previously on user.def file on the management. I believe thats where those would have been made back in R77.30...not saying that is the case, but worth checking.

PhoneBoy
Admin
Admin

We had to add specific support for Strongswan--it won't work out of the box.
The first version we had it in was a private build of R80.x.
Having said that, someone figured out how to get it working in R80.30 here: https://community.checkpoint.com/t5/Remote-Access-VPN/C2S-strongSwan-Roadwarrior-and-R80-30-working/... 
However, there are enough changes between R77.30 and R80.30 that I don't expect the same procedure to work on R77.30.

0 Kudos
PAS-HQ
Explorer

the_rock,

thanks for the information

0 Kudos
PAS-HQ
Explorer

Hi PhoneBoy,

These are the Chekpoing data:

VSX CHECKPOINT R77.30

Regards

0 Kudos
_Val_
Admin
Admin

This version is out of support for ages now...

0 Kudos
PAS-HQ
Explorer

thanks for the information _Val_

0 Kudos
PhoneBoy
Admin
Admin

As noted above, StrongSWAN is supported on R81 and above gateways.
It is not supported on R77.30, which has been End of Support for a few years now.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
the_rock
Legend
Legend

This is the 1st time I hear about strongswan, so wont even pretend to help there : - ). As far as CP though, you can run a basic debug and see what you get. From expert mode of the fw:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

Check ike.elg and vpnd.elg file in $FWDIR/log directory

If phase 1 fails, then that clearly tells us (no matter what vendor we are dealing with) that something with encryption algorithms is mismatched on both sides.

Andy

0 Kudos
Lesley
Contributor

You can try this, but I cannot give any guarantee due the EOL software. And also Strongswan is a pain to build a tunnel with. 

Also this setting below will not help you anymore in newer versions then you need to follow up advise from PhoneBoy

 

This setting only for old software:

> # fw ctl set int strongswan_bug_workaround 1>> Note: this command does not survive a reboot.>> In case it resolves the issue, the parameter can be set to survive reboot by modifying the file: $FWDIR/modules/vpnkern.conf> and adding the following line:>> strongswan_bug_workaround=1>> Note: if the file does not exist, create it.>> With the flag on, the Security Gateway only store new keys if they are re-keys of existing ones (or if there are no existing ones).> Note that this flag is relevant to IKEv2 only.

 

0 Kudos