<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.6.2">
</HEAD>
<BODY>
<BR>
Hi,<BR>
<BR>
I have a very <I>little</I> appointment with an ipsec tunnel between openswan 2.2.0-8 (debian stable) and checkpoint fw-1.<BR>
<BR>
<U>A] My configuration represents this tunnel :</U><BR>
<BR>
<I>west: </I><U>172.16.(49/50).0/24</U> --> <B>[</B>172.16.(49/50).254 / 192.168.1.2<B>]</B> --> {192.168.1.1 / IPEXT1}(cisco)<BR>
==== <BR>
<I>east:</I> <B>[</B>IPEXT2 / 10.234.(120/122).254<B>]</B> --> <U>10.234.(120/122).0/(23/25)</U><BR>
<BR>
the tunnel is established between 192.168.1.2(via a port redirection from IPEXT1) and IPEXT2<BR>
<BR>
<U>B] with this ipsec.conf :</U><BR>
<BR>
version 2.0 # conforms to second version of ipsec.conf specification<BR>
<BR>
# basic configuration ---------------------------------------------------------<BR>
config setup<BR>
nat_traversal=yes<BR>
interfaces=%defaultroute<BR>
klipsdebug=control<BR>
plutodebug=control<BR>
uniqueids=yes<BR>
dumpdir=/root<BR>
<BR>
# default configuration -------------------------------------------------------<BR>
conn %default<BR>
#keyingtries=3<BR>
#ikelifetime=3h<BR>
keylife=1h<BR>
#disablearrivalcheck=no<BR>
authby=secret<BR>
left=192.168.1.2<BR>
leftnexthop=192.168.1.1<BR>
right=%any<BR>
rightnexthop=%defaultroute<BR>
esp=aes256-md5<BR>
ike=3des-md5<BR>
pfs=no<BR>
auto=start<BR>
<BR>
# NET TO NET ------------------------------------------------------------------<BR>
conn eastNET1-to-westNET1<BR>
leftsubnet=172.16.49.0/24<BR>
rightsubnet=10.234.120.0/23<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET1-to-westNET2<BR>
leftsubnet=172.16.50.0/24<BR>
rightsubnet=10.234.120.0/23<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET2-to-westNET1<BR>
leftsubnet=172.16.49.0/24<BR>
rightsubnet=10.234.122.0/25<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET2-to-westNET2<BR>
leftsubnet=172.16.50.0/24<BR>
rightsubnet=10.234.122.0/25<BR>
right=81.80.43.10<BR>
<BR>
# GW TO NET -------------------------------------------------------------------<BR>
conn eastGW-to-westNET1<BR>
leftsubnet=172.16.49.0/24<BR>
right=81.80.43.10<BR>
<BR>
conn eastGW-to-westNET2<BR>
leftsubnet=172.16.50.0/24<BR>
right=81.80.43.10<BR>
<BR>
# NET TO GW -------------------------------------------------------------------<BR>
conn eastNET1-to-westGW<BR>
rightsubnet=10.234.120.0/23<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET2-to-westGW<BR>
rightsubnet=10.234.122.0/25<BR>
right=81.80.43.10<BR>
<BR>
# GW TO GW --------------------------------------------------------------------<BR>
conn eastGW-to-westGW<BR>
right=81.80.43.10<BR>
<BR>
# Disable Opportunistic Encryption<BR>
include /etc/ipsec.d/examples/no_oe.conf<BR>
<BR>
<U>C] My problem is :</U><BR>
<BR>
I have to issue a ping from <B>172.16.49.0/24</B> to <B>10.234.120.0/23</B> (swan->fw-1) before the ping from <B>10.234.120.0/23</B> to <B>172.16.49.0/24</B> (fw-1->swan) works.<BR>
If i do this first ping, all is ok, in the two sides. But it works for about 10 minutes.<BR>
After these 10 minutes, i have to re-issue a ping.<BR>
<BR>
The same thing occurs between the subnets <B>172.16.49.0/24</B> and <B>10.234.122.0/25 </B>for example<B>.</B><BR>
<BR>
The more strange thing i can say is that no log is written while performing this operation :<BR>
The logs are verbose (with 'control' or 'all') while the tunnel mounts, then all works fine between 10 minutes.<BR>
But when the ping is not possible and then becomes possible when i issue the first ping, there is no logs.<BR>
<BR>
Any idea ?<BR>
<BR>
Thanks for any piece of answer.<BR>
<BR>
DIAS DA SILVA Loïc.
</BODY>
</HTML>