[strongSwan] checkpoint interoperability problem

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jan 16 19:00:00 CET 2018


Hi,

> The forceencaps=yes has been setup because the checkpoint was replying with udp datagrams instead of ESP packets for an unknown reason.

That's definitively a bug in the checkpoint device. It has to propose UDP encapsulation if it wants to use it.
The explanation for their weird strongSwan work around also sounds like bullshit to me.
IMO their appliances are just crap. Or at least the IPsec related software on them.

Kind regards

Noel


On 15.01.2018 15:26, Marco Berizzi wrote:
> Hello everyone.
>
> Just for record: in agreement with the customer switching to IKEv2 and enabling forceencaps=yes have resolved the  interoperability problem.
>
> The forceencaps=yes has been setup because the checkpoint was replying with udp datagrams instead of ESP packets for an unknown reason.
>
> Checkpoint customer is running R77.30

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180116/2c2b9ab7/attachment.sig>


More information about the Users mailing list