stronswang tunnel/part of tunnel hang issue with checkpoint fw or checkpoint cluster fw

[EeroV]

Hi All,

I am having issues with checkpoint firewall as sometimes tunnel or part of tunnel (one subnet) just hangs with even with dpdaction=clear

Snippet of config:

conn xxxxx
authby=secret
type=tunnel
left=%defaultroute
leftid=xxxxx
leftsubnet=xxxxx
leftauth=psk
leftfirewall=yes
right=xxxxxx
rightsubnet=x/32,z/32,c/32,b/32
rightauth=psk
ike=aes256-sha256-ecp384
esp=aes256-sha256-ecp384
keyexchange=ikev2
ikelifetime=24h
lifetime=1h
rekeymargin=2m
#make_before_break=yes
keyingtries=3
dpdaction=clear
dpddelay = 30s
closeaction = clear
compress=no
forceencaps=yes
mobike=yes
auto=route

It works fine on other vendors than checkpoint. tunnel always fixes when I terminate it. I assume that this can be related to checkpoint cluster failover, but not on all times.

How to get strongswan working reliable with checkpoint? I am running latest strongswan on debian 12 on aws cloud.

Another weird issue is that when I run ipsec statusall, lines are not showing dpdaction=clear.

ex:

ipsec statusall | grep -i dpd
child: yyyy === xxxx TUNNEL, dpdaction=none

Please help. I will offer free beer to first one to resolve this issue. thanks. Same config works fine with all other vpn vendors.

Eero

[tobiasbrunner]

I am having issues with checkpoint firewall as sometimes tunnel or part of tunnel (one subnet) just hangs with even with dpdaction=clear

Why would that be related to dpdaction?

rightsubnet=x/32,z/32,c/32,b/32

Are you sure Check Point supports this? It doesn't according to our old wiki. You might better configure separate conn entries.

Another weird issue is that when I run ipsec statusall, lines are not showing dpdaction=clear.

That's because internally clear means "take no further action", which results in what you see in the status output.

[EeroV]

Hi @tobiasbrunner and thanks. I think that following settings fixed my checkpoint issues.

• split checkpoint s/a subnets to own connections
• added following settings:
• close_action=trap
• start_action=trap

I will deliver big beer to you. please give your paypal email, so will deliver cash to buy that one.

thanks a lot.

Eero

[tobiasbrunner]

Hehe, that's OK. Just a note: if you already configured start_action=trap, close_action=trap is redundant as the trap policy installed via start_action stays installed when the SA is closed by the peer.

[EeroV]

ok. anyway. it works.