[Openswan Users] Checkpoint connection problems

Brent Foster Brent.Foster at int-sol.com
Thu Aug 19 11:20:18 CEST 2004 

Found out that the other end was not a Checkpoint after all, and that it
was really a Nortel Contivity.  I had them
fix the Nortel's default connection timeout and life is now good.
 
Thanks all for the help!
 
Brent


________________________________

	From: Craig Kelley [mailto:ckelley at ibnads.com] 
	Sent: Tuesday, August 17, 2004 4:18 PM
	To: Brent Foster
	Cc: Paul Wouters; users at lists.openswan.org
	Subject: Re: [Openswan Users] Checkpoint connection problems
	
	
	Brent Foster wrote: 

		Keylife of 1h didn't do the trick... I had tried that
before anyways.
		I ended up writing a quick script to monitor the tunnel
and reset it 
		if there was a problem.  Looking at the logs from my
script, it appears
		to be totally random disconnect times. Any other ideas?
		  

	I don't know if it will help, but here's a couple definitions I
use against Checkpoint:
	
	#
	# VPN-1
	#
	conn foo
	        type=tunnel
	        keyexchange=ike
	        ikelifetime=8h
	        rekeymargin=60m
	        rekeyfuzz=0%
	        keylife=2h
	        compress=no
	        auth=esp
	        pfs=no
	        authby=secret
	        # US
	        left=1.2.3.4
	        leftsubnet=5.6.7.8/23
	        leftnexthop=1.2.3.5
	        # THEM
	        right=4.3.2.1
	        rightid=6.7.8.9
	        rightsubnet=8.7.6.5/23
	        # Bring up connection automatically
	        auto=start
	
	#
	# Checkpoint NG R-55
	#
	conn bar
	        type=tunnel
	        keyexchange=ike
	        keylife=30m
	        compress=no
	        auth=esp
	        pfs=no
	        authby=secret
	        # US
	        left=1.2.3.4
	        leftsubnet=5.6.7.8/23
	        leftnexthop=1.2.3.5
	        # THEM
	        right=4.3.2.1
	        rightid=6.7.8.9
	        rightsubnet=8.7.6.5/23
	        # Bring up connection automatically
	        auto=start
	
	
	The wierd thing (well, *one* of the wierd things) about
Checkpoint, is that all our peers (we don't control their
configurations) seem to advertize their *internal* IP address as the
gateway's ipsec ID, which is why we always have to put in "rightid".
	
	My defaults, in case that matters:
	
	conn %default
	        keyingtries=0
	        disablearrivalcheck=no
	        authby=rsasig
	        leftrsasigkey=%dnsondemand
	        rightrsasigkey=%dnsondemand
	
	
	-- 
	Craig Kelley
	In-Store Broadcasting Network 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040819/b16e3620/attachment.htm

More information about the Users mailing list