[Openswan Users] NTP/IPSEC/CheckPoint problem

Paul Wouters paul at xelerance.com
Wed Apr 5 07:26:20 CEST 2006


On Tue, 4 Apr 2006, Mauricio Portilho Cavalcanti wrote:

> This is my topology and problem:
>
> MAIL	---	CHECKPOINT	===	IPSEC === MY FW --- NTP SERVER (UDP
> 123)
> SERVER	FW			TUNNEL
>
> I connect from NTP SERVER (10.254.254.3) to MAIL SERVER (192.168.60.7) using
> SSH.
>
> My FW is running openswan 2.2.0-8 and I´m trying to connect MAIL SERVER to
> my NTP server (is a NAT in MY FW) using protocol UDP port 123.
>
> When I try to use ntpdate form MAIL SERVER to NTP SERVER, all I have in logs
> is listed below (auth.log):
>
> Apr  4 21:01:17 MY-FW pluto[14006]: "MYFW-CP" #1444: cannot respond to IPsec
> SA request because no connection is known for my-fw-ipaddr...
> cp-fw-ipaddr.82===cp-fw-ipaddr.84/32

It looks like the checkpoint is building seperate /32 connections for any
connection within a subnet. I have seen this before, though I do not remember
if that was checkpoint. You might "fix" this by making sure the Openswan end
is always the initiator. Try initiating from the openswan end instead of the
checkpoint end, and if that works, set a short keylife on openswan to ensure
it stays the initiator.

> conn MYFW-CP
>         authby=secret
>         left=my-fw-ipaddr
>         leftsubnet=10.254.254.0/24
>         leftnexthop= my-fw-ipaddr-router
>         right= cp-fw-ipaddr.82

Or if you have more IP address on the checkpoint, perhaps you just need
to change the right= to the .84 IP?

> All (except this one) my MAIL SERVERS connects to MY FW using UDP port 123
> (NAT to NTP SERVER). I don´t have access to CheckPoint configuration.

Talking to the ckecpoint guy will help. You can't expect to interoperate
hardware if the humans don't interoperate.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list