[Openswan Users]
Re: opens/wan <-> nokia checkpoint seems to persist in trying a
'weird IPsec SA' / what does [S-C] indicate in the log ?
Paul Wouters
paul at xelerance.com
Wed Jun 22 17:42:30 CEST 2005
On Wed, 22 Jun 2005, Albert Siersema wrote:
> I'm trying to set up a network<->network (tunnel mode) tunnel with a nokia
> checkpoint firewall. No problems with freeswan but after upgrading to
> openswan we're in trouble.
>
> The network<->network tunnel (ISAKMP+IPsec SA) seems to be up&running with
> this config:
>
> auth=esp
> authby=secret
> pfs=yes
> leftsendcert=no
> left=a.b.c.d
> leftsubnet=10.0.0.0/255.255.0.0
> right=e.f.g.h
> rightsubnet=10.1.0.0/255.255.0.0
> ikelifetime=480m
> keylife=28800
> type=tunnel
>
> (yes i know, tunnel is the default type anyway and 480m == 28800 :-).
> At least, the log file states "IPsec SA established" (along with ISAKMP SA of
> course) and i'm able to ping a host in the 10.1 network.
>
> However, the log files keep mentioning:
>
> cannot respond to IPsec SA request because no connection is known for
> 10.0.0.12/32===a.b.c.d[S-C]...e.f.g.h===10.1.9.100/32
These are all /32's and not /16's. Perhaps you need to change an option from IPADDR
to SUBNET on your Nokia?
Paul
More information about the Users
mailing list