If your enpoints are on static IP, you should put a type=passthrough in with left/right set to those IP addresses. That will exclude them from being caught in the 0/0, because passthrough has a higher priority.
Sent from my iPhone > On Oct 28, 2015, at 15:57, Amir Naftali <[email protected]> wrote: > > Hi All > > Thank you for supporting this important opensource initiative. > > I'm using libreswan(3.15)/netkey running on an AWS/EC2/Ubuntu/14.04 machine > to connect to a CheckPoint device where the CP device is configured to > establish an SA per GW (as oppose per subnet pair) > > This means that the negotiated subnets during IPSec phase that the CP devices > will send and accept are 0.0.0.0/0 and 0.0.0.0/0 > > The connection can be established but once the IPSec phase is complete it > will install xfrm policies that will shutdown communication (src 0.0.0.0/0 > dst 0.0.0.0/0 [in/out/fwd]...) > > Since libreswan installs xfrm policies automatically I thought to use the > leftupdown option to write a script that manage xfrm policies myself > (basically allow the wildcard to be negotiated during IPSec phase but > afterwards install a more specific xfrm policies so communication will not > shutdown. > > My script works fine until IPSec re-key happens, once re-key happens swan > installs an xfrm policy w/o making a call to the leftupdown script I provide. > The new installed xfrm policy is not complete and looks like this (I call it > partial since it only deploy the "out" policy w/o the "in" and "fwd") > > Here is how the partial policy it looks like > > src 0.0.0.0/0 dst 0.0.0.0/0 > dir out priority 3128 > tmpl src <my ip> dst <remote ip> > proto esp reqid 16401 mode tunnel > > The above policy also shut down my communication to/from the machine. > > Here is my connection config... > > conn connLG > connaddrfamily=ipv4 > authby=secret > dpdaction=restart_by_peer > dpddelay=30 > dpdtimeout=120 > forceencaps=yes > ike=aes128-sha1;modp1024 > ikelifetime=86400s > keyingtries=3 > left=<my ip> > leftid=<mu id> > leftsubnets=0.0.0.0/0 > leftupdown="/etc/ipsec.d/myUpDown.sh" > pfs=yes > phase2alg=aes128-sha1 > right=<right ip> > rightid=<right id> > rightsubnets=0.0.0.0/0 > salifetime=180s > > My questions are: > > 1) Is this the right way to do it (how else can i connect to a peer device > that negotiates wildcard subnets)? > 2) How can I better control xfrm policies (there are more options I would > like to use like mark and using multiple tmpl in the same policy) that are > not supported by libreswan? > 3) Is the behaviour I described above regarding IPSec re-key and partial xfrm > policy instrumentation is a known issue or am I missing something here in how > it should work? > > Will appreciate any response regarding this one > > Kind Regards, > > > Amir Naftali | CTO and Co-Founder | +972 54 497 2622 > > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
