[strongSwan] From OpenSWAN PubKey to StrongSWAN - Other side is Checkpoiint FW1

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Aug 5 11:20:18 CEST 2017 

Hi,

On 05.08.2017 02:27, Luca Arzeni wrote:
> [...]
> I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to StrongSWAN 5.2.1
You better get 5.5.3 right away. 5.2.1 is already pretty old.

> [...]
> ==============================================================
>
> Now I'm trying to use StrongSWAN to setup a connection, but I'm not able to connect.
> This is my StrongSWAN ipsec.conf:
>
> ==============================================================
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
> charondebug =  dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, asn 0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2
Remove that. Use the logger configuration from the HelpRequests[1] page instead and pastebin us that, after you made the following changes.
>
> conn home
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
> #
> left=%any
Remove left. It is unnecessary.
> leftcert=my_cert.pem
> leftrsasigkey=%cert
> leftid="my certificate subject"
leftrsasigkey and leftid are unnecessary, if not counterproductive.

> #leftauth=pubkey
>         leftfirewall=yes
> #
> leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list
> leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I need to set it because I'm using also a "rightsubnets" list
Remove leftsubnet.
> #
> rightcert=fwncest_2012-11-07_cert.pem
> rightrsasigkey=%cert
Remove rightrsasigkey.
>         right=X.Y.Z.W (FW1_IP_ADDESS)
>         rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST use the firewall public IP)
>         rightsubnet= 192.168.1.0/24 <http://192.168.1.0/24>, 192.168.2.0/24 <http://192.168.2.0/24>, ecc... 
>         rightcert=firewall_cert.pem
>         rightrsasigkey=%cert
Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway.
> #
> auto=start
Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the remote peer deletes them. This behaves differently than openswan.

>         # after establishing the vpn, run these script to allow routes from my client to server behind the firevall
>         #
>         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 <http://192.168.1.0/24> -j SNAT --to my_ip
>         # /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 <http://192.168.2.0/24> -j SNAT --to my_ip
>
> include /var/lib/strongswan/ipsec.conf.inc
Remove the include.

> ===========================================================================
>
> But this setup is not working.

Provide all the information from the HelpRequests[1] page, please.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170805/4186eefa/attachment.sig>

More information about the Users mailing list