[Openswan Users]
checkpoint->openS/WAN tries to initiate /32 IPsec SA for every NEW
connection [the REAL message]
Albert Siersema
appie at friendly.net
Thu Jun 23 10:20:45 CEST 2005
[ darn, trembly finger random message sent, urgh, discard previous message
i'll try to finish this one without sending it :) ]
Hello all,
To clear up and eleborate on my previous post, I discovered that the
checkpoint firewall tries to setup seperate IPsec SAs for every single
host (/32) that initiates a new connection (NEW from a stateful firewall
state machine perspective, e.g. ICMP ping echo request, TCP with SYN, etc.)
Connections from openswan to checkpoint and corresponding reply traffic
are tunneled without any problems.
I know this probably is a checkpoint issue, but since I couldn't get
any answers from checkpoint knowhowwies (or googling or interop docs)
and there's after all an IPsec crowd on this list i was hoping that
someone can point me in a direction where to look (or rather have
someone look) in checkpoint to fix this.
The quote my own previous message, this shows up in the firewall logs:
cannot respond to IPsec SA request because no connection is known for
10.0.0.12/32===a.b.c.d[S-C]...e.f.g.h===10.1.9.100/32
sending encrypted notification INVALID_MESSAGE_ID to e.f.g.h:500
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xaaaaaaaaa (perhaps this is a duplicated packet)
TIA,
Albert
More information about the Users
mailing list