Strongswan VPN with Checkpoint stuck on connecting

Ian Twy

4/1/24, 8:57 AM

I am new to strongswan and linux so i'm trying to setup a vpn connection between a linux firewall cluster and a checkpoint gateway.

So this is my node list and resources:

root@Deb-FW-C1:/etc# crm status Cluster Summary:

Stack: corosync

Current DC: fw-c2 (version 2.0.5-ba59be7122) - partition with quorum

Last updated: Sat Apr 1 12:04:28 2023

Last change: Sat Apr 1 12:04:25 2023 by root via cibadmin on iantwy

2 nodes configured

3 resource instances configured

Node List:

Online: [ fw-c2 fw-c1 ]

Full List of Resources:

ping-gateway (ocf::pacemaker:ping): Started fw-c2

Resource Group: FW-CLUSTER:

FIREWALL (lsb:firewall): Started fw-c1

CL-VIP (ocf::heartbeat:IPaddr2): Started fw-c2

This is my /etc/ipsec.conf

conn linux-to-cp

type=tunnel
leftupdown=/usr/local/sbin/ipsec.sh
mark=300
left=x.x.x.190
leftid=x.x.x.190
leftsubnet=192.168.3.0/24
right=x.x.x.201
rightsubnet=192.168.4.0/24
authby=secret
keyexchange=ikev2
ike=aes128-sha1-modp1024
ikelifetime=28800s
esp=aes128-sha1-modp1024
lifetime=3600s
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
auto=start

ipsec.secrets

#source destination
x.x.x.190 x.x.x.201:PSK "firewall-linux-pass"

When starting the ipsec:

root@Deb-FW-C1:/etc# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
root@Deb-FW-C1:/etc# ipsec status
Security Associations (0 up, 1 connecting):
linux-to-cp[1]: CONNECTING, x.x.x.190[%any]...x.x.x.201[%any]

Systemctl status strongswan-starter

root@Deb-FW-C1:/etc# systemctl status strongswan-starter
● strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan-starter.service; enabled; vendor >preset: enabled)
Active: inactive (dead) since Sat 2023-04-01 11:47:46 +04; 58min ago
Process: 252511 ExecStart=/usr/sbin/ipsec start --nofork (code=exited, >status=0/SUCCESS)
Main PID: 252511 (code=exited, status=0/SUCCESS)
CPU: 12ms

Apr 01 11:47:46 Deb-FW-C1 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon >using ipsec.conf.
Apr 01 11:47:46 Deb-FW-C1 ipsec[252511]: Starting strongSwan 5.9.1 IPsec [starter]...
Apr 01 11:47:46 Deb-FW-C1 ipsec_starter[252511]: Starting strongSwan 5.9.1 IPsec [starter]...
Apr 01 11:47:46 Deb-FW-C1 ipsec_starter[252511]: charon is already running (/var/run/charon.pid exists) -- skipping daemon s>
Apr 01 11:47:46 Deb-FW-C1 ipsec[252511]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Apr 01 11:47:46 Deb-FW-C1 ipsec[252511]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Apr 01 11:47:46 Deb-FW-C1 ipsec_starter[252511]: starter is already running (/var/run/starter.charon.pid exists) -- no fork >
Apr 01 11:47:46 Deb-FW-C1 systemd[1]: strongswan-starter.service: Succeeded.

I configured the checkpoint on GUI and they both have the same encryption configuration and i created an interoperable object for the linux firewall and added the vpn rule to allow traffic through. I also added the IKE UDP port 500 and 4500 for IPSEC NAT. Also the shared secret key is the same as well. But the issue might be in the config file in the linux firewall.

Any help on why it is stuck on connecting ?

385

0 + 0

linux

firewall

checkpoint

strongswan

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Strongswan VPN with Checkpoint stuck on connecting

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.