[strongSwan] From OpenSWAN PubKey to StrongSWAN - Other side is Checkpoiint FW1

Luca Arzeni l.arzeni at gmail.com
Sat Aug 5 02:27:14 CEST 2017


Hi,
I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to
StrongSWAN 5.2.1
I'm a client (roadwarrior), the other side is a Checkpoint FW1 NG

This configuration IS WORKING FINE under openswan (i.e.: I can connect and
work without any trouble):
==================================================
version 2.0 # conforms to second version of ipsec.conf specification

config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey # I set this to avoid warning message at connection
startup
keep_alive=20
force_keepalive=yes

conn roadwarrior
        left=%defaultroute
        leftcert=my_cert.pem
        leftrsasigkey=%cert
        leftid=%fromcert
#
leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
#
        right=X.Y.Z.W (FW1_IP_ADDESS)
        rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use
the firewall public IP)
        rightsubnets={ 192.168.1.0/24 192.168.2.0/24 ecc... }
        rightcert=firewall_cert.pem
        rightrsasigkey=%cert
        #
#
        auto=start

# after establishing the vpn, run these script to allow routes from my
client to server behind the firevall
#
# /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 -j SNAT --to my_ip
# /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 -j SNAT --to my_ip

==============================================================

Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to
connect.
This is my StrongSWAN ipsec.conf:

==============================================================

# ipsec.conf - strongSwan IPsec configuration file

config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug =  dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn
0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2

conn home
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
#
left=%any
leftcert=my_cert.pem
leftrsasigkey=%cert
leftid="my certificate subject"
#leftauth=pubkey
        leftfirewall=yes
#
leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need
to set it because I'm using also a "rightsubnets" list
#
rightcert=fwncest_2012-11-07_cert.pem
rightrsasigkey=%cert
        right=X.Y.Z.W (FW1_IP_ADDESS)
        rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use
the firewall public IP)
        rightsubnet= 192.168.1.0/24, 192.168.2.0/24, ecc...
        rightcert=firewall_cert.pem
        rightrsasigkey=%cert
#
auto=start
        # after establishing the vpn, run these script to allow routes from
my client to server behind the firevall
        #
        # /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 -j SNAT
--to my_ip
        # /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 -j SNAT
--to my_ip

include /var/lib/strongswan/ipsec.conf.inc

===========================================================================

But this setup is not working.
Can someone help me?

Thanks, larzeni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170805/486ae031/attachment-0001.html>


More information about the Users mailing list