[strongSwan] From OpenSWAN PubKey to StrongSWAN - Other side is Checkpoiint FW1
Luca Arzeni
l.arzeni at gmail.com
Sat Aug 5 02:27:14 CEST 2017
Hi,
I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to
StrongSWAN 5.2.1
I'm a client (roadwarrior), the other side is a Checkpoint FW1 NG
This configuration IS WORKING FINE under openswan (i.e.: I can connect and
work without any trouble):
==================================================
version 2.0 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey # I set this to avoid warning message at connection
startup
keep_alive=20
force_keepalive=yes
conn roadwarrior
left=%defaultroute
leftcert=my_cert.pem
leftrsasigkey=%cert
leftid=%fromcert
#
leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
#
right=X.Y.Z.W (FW1_IP_ADDESS)
rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use
the firewall public IP)
rightsubnets={ 192.168.1.0/24 192.168.2.0/24 ecc... }
rightcert=firewall_cert.pem
rightrsasigkey=%cert
#
#
auto=start
# after establishing the vpn, run these script to allow routes from my
client to server behind the firevall
#
# /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 -j SNAT --to my_ip
# /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 -j SNAT --to my_ip
==============================================================
Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to
connect.
This is my StrongSWAN ipsec.conf:
==============================================================
# ipsec.conf - strongSwan IPsec configuration file
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug = dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn
0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2
conn home
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
#
left=%any
leftcert=my_cert.pem
leftrsasigkey=%cert
leftid="my certificate subject"
#leftauth=pubkey
leftfirewall=yes
#
leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
#
rightcert=fwncest_2012-11-07_cert.pem
rightrsasigkey=%cert
right=X.Y.Z.W (FW1_IP_ADDESS)
rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use
the firewall public IP)
rightsubnet= 192.168.1.0/24, 192.168.2.0/24, ecc...
rightcert=firewall_cert.pem
rightrsasigkey=%cert
#
auto=start
# after establishing the vpn, run these script to allow routes from
my client to server behind the firevall
#
# /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 -j SNAT
--to my_ip
# /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 -j SNAT
--to my_ip
include /var/lib/strongswan/ipsec.conf.inc
===========================================================================
But this setup is not working.
Can someone help me?
Thanks, larzeni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170805/486ae031/attachment-0001.html>
More information about the Users
mailing list