<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1458" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=819151114-19082004><FONT face=Arial
color=#0000ff size=2>Found out that the other end was not a Checkpoint after
all, and that it was really a Nortel Contivity. I had
them</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=819151114-19082004><FONT face=Arial
color=#0000ff size=2>fix the Nortel's default connection timeout and
life is now good.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=819151114-19082004><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=819151114-19082004><FONT face=Arial
color=#0000ff size=2>Thanks all for the help!</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=819151114-19082004><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=819151114-19082004><FONT face=Arial
color=#0000ff size=2>Brent</FONT></SPAN></DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Craig Kelley [mailto:ckelley@ibnads.com]
<BR><B>Sent:</B> Tuesday, August 17, 2004 4:18 PM<BR><B>To:</B> Brent
Foster<BR><B>Cc:</B> Paul Wouters; users@lists.openswan.org<BR><B>Subject:</B>
Re: [Openswan Users] Checkpoint connection problems<BR></FONT><BR></DIV>
<DIV></DIV>Brent Foster wrote:
<BLOCKQUOTE
cite=midC2001A0C9EA97646BED3CB88C1B8A811974919@exchange01.cincy.int-sol.com
type="cite"><PRE wrap="">Keylife of 1h didn't do the trick... I had tried that before anyways.
I ended up writing a quick script to monitor the tunnel and reset it
if there was a problem. Looking at the logs from my script, it appears
to be totally random disconnect times. Any other ideas?
</PRE></BLOCKQUOTE>I don't know if it will help, but here's a couple
definitions I use against Checkpoint:<BR><BR>#<BR># VPN-1<BR>#<BR>conn
foo<BR>
type=tunnel<BR>
keyexchange=ike<BR>
ikelifetime=8h<BR>
rekeymargin=60m<BR>
rekeyfuzz=0%<BR>
keylife=2h<BR>
compress=no<BR>
auth=esp<BR>
pfs=no<BR>
authby=secret<BR> #
US<BR>
left=1.2.3.4<BR>
leftsubnet=5.6.7.8/23<BR>
leftnexthop=1.2.3.5<BR> #
THEM<BR>
right=4.3.2.1<BR>
rightid=6.7.8.9<BR>
rightsubnet=8.7.6.5/23<BR> # Bring
up connection automatically<BR>
auto=start<BR><BR>#<BR># Checkpoint NG R-55<BR>#<BR>conn
bar<BR>
type=tunnel<BR>
keyexchange=ike<BR>
keylife=30m<BR>
compress=no<BR>
auth=esp<BR>
pfs=no<BR>
authby=secret<BR> #
US<BR>
left=1.2.3.4<BR>
leftsubnet=5.6.7.8/23<BR>
leftnexthop=1.2.3.5<BR> #
THEM<BR>
right=4.3.2.1<BR>
rightid=6.7.8.9<BR>
rightsubnet=8.7.6.5/23<BR> # Bring
up connection automatically<BR>
auto=start<BR><BR><BR>The wierd thing (well, *one* of the wierd things) about
Checkpoint, is that all our peers (we don't control their configurations) seem
to advertize their *internal* IP address as the gateway's ipsec ID, which is
why we always have to put in "rightid".<BR><BR>My defaults, in case that
matters:<BR><BR>conn %default<BR>
keyingtries=0<BR>
disablearrivalcheck=no<BR>
authby=rsasig<BR>
leftrsasigkey=%dnsondemand<BR>
rightrsasigkey=%dnsondemand<BR><BR>
<DIV class=moz-signature>-- <BR>Craig Kelley<BR><SPAN
style="COLOR: rgb(184,51,67)">In-Store</SPAN> Broadcasting Network
</DIV></BLOCKQUOTE></BODY></HTML>