<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.6.2">
</HEAD>
<BODY>
<BR>
Hi,<BR>
<BR>
I have a very <I>little</I> appointment with an ipsec tunnel between openswan 2.2.0-8 (debian stable) and checkpoint fw-1.<BR>
<BR>
<U>A] My configuration represents this tunnel :</U><BR>
<BR>
<I>west: </I><U>172.16.(49/50).0/24</U> --> <B>[</B>172.16.(49/50).254 / 192.168.1.2<B>]</B> --> {192.168.1.1 / IPEXT1}(cisco)<BR>
==== <BR>
<I>east:</I> <B>[</B>IPEXT2 / 10.234.(120/122).254<B>]</B> --> <U>10.234.(120/122).0/(23/25)</U><BR>
<BR>
the tunnel is established between 192.168.1.2(via a port redirection from IPEXT1) and IPEXT2<BR>
<BR>
<U>B] with this ipsec.conf :</U><BR>
<BR>
version 2.0 # conforms to second version of ipsec.conf specification<BR>
<BR>
# basic configuration ---------------------------------------------------------<BR>
config setup<BR>
nat_traversal=yes<BR>
interfaces=%defaultroute<BR>
klipsdebug=control<BR>
plutodebug=control<BR>
uniqueids=yes<BR>
dumpdir=/root<BR>
<BR>
# default configuration -------------------------------------------------------<BR>
conn %default<BR>
#keyingtries=3<BR>
#ikelifetime=3h<BR>
keylife=1h<BR>
#disablearrivalcheck=no<BR>
authby=secret<BR>
left=192.168.1.2<BR>
leftnexthop=192.168.1.1<BR>
right=%any<BR>
rightnexthop=%defaultroute<BR>
esp=aes256-md5<BR>
ike=3des-md5<BR>
pfs=no<BR>
auto=start<BR>
<BR>
# NET TO NET ------------------------------------------------------------------<BR>
conn eastNET1-to-westNET1<BR>
leftsubnet=172.16.49.0/24<BR>
rightsubnet=10.234.120.0/23<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET1-to-westNET2<BR>
leftsubnet=172.16.50.0/24<BR>
rightsubnet=10.234.120.0/23<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET2-to-westNET1<BR>
leftsubnet=172.16.49.0/24<BR>
rightsubnet=10.234.122.0/25<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET2-to-westNET2<BR>
leftsubnet=172.16.50.0/24<BR>
rightsubnet=10.234.122.0/25<BR>
right=81.80.43.10<BR>
<BR>
# GW TO NET -------------------------------------------------------------------<BR>
conn eastGW-to-westNET1<BR>
leftsubnet=172.16.49.0/24<BR>
right=81.80.43.10<BR>
<BR>
conn eastGW-to-westNET2<BR>
leftsubnet=172.16.50.0/24<BR>
right=81.80.43.10<BR>
<BR>
# NET TO GW -------------------------------------------------------------------<BR>
conn eastNET1-to-westGW<BR>
rightsubnet=10.234.120.0/23<BR>
right=81.80.43.10<BR>
<BR>
conn eastNET2-to-westGW<BR>
rightsubnet=10.234.122.0/25<BR>
right=81.80.43.10<BR>
<BR>
# GW TO GW --------------------------------------------------------------------<BR>
conn eastGW-to-westGW<BR>
right=81.80.43.10<BR>
<BR>
# Disable Opportunistic Encryption<BR>
include /etc/ipsec.d/examples/no_oe.conf<BR>
<BR>
<U>C] My problem is :</U><BR>
<BR>
I have to issue a ping from <B>172.16.49.0/24</B> to <B>10.234.120.0/23</B> (swan->fw-1) before the ping from <B>10.234.120.0/23</B> to <B>172.16.49.0/24</B> (fw-1->swan) works.<BR>
If i do this first ping, all is ok, in the two sides. But it works for about 10 minutes.<BR>
After these 10 minutes, i have to re-issue a ping.<BR>
<BR>
The same thing occurs between the subnets <B>172.16.49.0/24</B> and <B>10.234.122.0/25 </B>for example<B>.</B><BR>
<BR>
The more strange thing i can say is that no log is written while performing this operation :<BR>
The logs are verbose (with 'control' or 'all') while the tunnel mounts, then all works fine between 10 minutes.<BR>
But when the ping is not possible and then becomes possible when i issue the first ping, there is no logs.<BR>
<BR>
Any idea ?<BR>
<BR>
Thanks for any piece of answer.<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
--<BR>
DIAS DA SILVA Loïc<BR>
Chef de projet technique<BR>
Ingénieur des systèmes GNU/Linux<BR>
France Télécom VSOL<BR>
<B><FONT SIZE="1">Tél</FONT></B><FONT SIZE="1">: 01.58.94.37.36</FONT><BR>
<FONT SIZE="1"><FONT COLOR="#ccffcc">Key fingerprint = 3277 5D67 41C9 D6A5 6267 5D78 0DF0 88CE C43C AAA2</FONT></FONT>
</TD>
</TR>
</TABLE>
</BODY>
<!--[object_id=#SID=01050000000000051500000079c20a2f2b66477cbea04cfda5240000#]--><FONT face=Arial size=2>
<P><FONT color=#000033><FONT size=2></FONT></FONT> </P>
<P><FONT color=#000033><FONT size=2>***********************************<BR></FONT><FONT size=2>Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires.</FONT></FONT><FONT color=#000033 size=2>Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie.<BR>Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur.<BR></FONT><FONT color=#000033 size=2>***********************************<BR></FONT><FONT color=#000033><FONT size=2>This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified.<BR></FONT><FONT size=2>I</FONT></FONT><FONT color=#000033><FONT size=2>f you are not receiver of this message, please cancel it immediately and inform the sender.<BR></FONT><FONT size=2>************************************</FONT></FONT></P></FONT></HTML>