[Openswan Users] Checkpoint connection problems

Brent Foster Brent.Foster at int-sol.com
Sun Aug 15 17:06:02 CEST 2004 

Hi,

 

I'm running OpenSwan 2.1.5 and have about 10 tunnels active on the
system.  Just created a new 

connection to a Checkpoint FW1 box and the tunnel works fine, except
that it will stop working

after a few hours.  Sometimes it will auto-recover, sometimes I have to
-down and -up the 

tunnel.  In all cases OpenSwan thinks the tunnel is up and will route
traffic across the ipsec0 interface.

I think the problem is on the Checkpoint end (as I have other tunnels
that are connected to different 

Checkpoint boxes) that work just fine.  The checkpoint admin swears the
problem is on my end.

 

I saw a link at
http://wiki.openswan.org/index.php/interoperatingCheckpoint that
described this

problem and pointed me to a specific message on the mailing list
archives that doesn't exist

anymore
(http://lists.openswan.org/archives/users/2003-October/msg00293.html).  

 

Does anyone know anything about this problem, or have any ideas on how
to fix it?  

 

Here is a copy of this tunnel's status info:

 

000 "ag1":
172.16.0.248/29===x.x.x.2[S=C]---x.x.x.1...y.y.y.30[S=C]===10.239.64.20/
32; erouted; eroute owner: #17

000 "ag1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0

000 "ag1":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 29,32; interface:
eth0; 

000 "ag1":   newest ISAKMP SA: #0; newest IPsec SA: #17; 

000 #17: "ag1" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 13434s; newest IPSEC; eroute owner

000 #17: "ag1" used 107s ago; esp.1da6ce at y.y.y.30 esp.2f784097 at x.x.x.2
tun.1016 at y.y.y.30 tun.1015 at x.x.x.2

 

conn ag1

        type=tunnel

        left=x.x.x.2

        leftnexthop=x.x.x.1

        leftsubnet=172.16.0.248/29

        leftid=<id>

        right=y.y.y.30

        rightsubnet=10.239.64.20/32

        keyexchange=ike

        keylife=8h

        auth=esp

        pfs=no

        auto=start

        authby=secret

 

 

Thanks,

Brent

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040815/bcab44ab/attachment.htm

More information about the Users mailing list