[Openswan Users] Re: opens/wan <-> nokia checkpoint seems to persist in trying a 'weird IPsec SA' / what does [S-C] indicate in the log ?

Paul Wouters paul at xelerance.com
Wed Jun 22 17:42:30 CEST 2005

On Wed, 22 Jun 2005, Albert Siersema wrote:

> I'm trying to set up a network<->network (tunnel mode) tunnel with a nokia 
> checkpoint firewall. No problems with freeswan but after upgrading to
> openswan we're in trouble.
> The network<->network tunnel (ISAKMP+IPsec SA) seems to be up&running with 
> this config:
>        auth=esp
>        authby=secret
>        pfs=yes
>        leftsendcert=no
>        left=a.b.c.d
>        leftsubnet=
>        right=e.f.g.h
>        rightsubnet=
>        ikelifetime=480m
>        keylife=28800
>        type=tunnel
> (yes i know, tunnel is the default type anyway and 480m == 28800 :-).
> At least, the log file states "IPsec SA established" (along with ISAKMP SA of 
> course) and i'm able to ping a host in the 10.1 network.
> However, the log files keep mentioning:
> cannot respond to IPsec SA request because no connection is known for

These are all /32's and not /16's. Perhaps you need to change an option from IPADDR
to SUBNET on your Nokia?


More information about the Users mailing list