[Openswan Users] checkpoint->openS/WAN tries to initiate /32 IPsec SA for every NEW connection [the REAL message]

Albert Siersema appie at friendly.net
Thu Jun 23 10:20:45 CEST 2005


[ darn, trembly finger random message sent, urgh, discard previous message
   i'll try to finish this one without sending it :) ]

Hello all,

To clear up and eleborate on my previous post, I discovered that the
checkpoint firewall tries to setup seperate IPsec SAs for every single
host (/32) that initiates a new connection (NEW from a stateful firewall
state machine perspective, e.g. ICMP ping echo request, TCP with SYN, etc.)
Connections from openswan to checkpoint and corresponding reply traffic
are tunneled without any problems.

I know this probably is a checkpoint issue, but since I couldn't get
any answers from checkpoint knowhowwies (or googling or interop docs)
and there's after all an IPsec crowd on this list i was hoping that
someone can point me in a direction where to look (or rather have
someone look) in checkpoint to fix this.

The quote my own previous message, this shows up in the firewall logs:

cannot respond to IPsec SA request because no connection is known for
10.0.0.12/32===a.b.c.d[S-C]...e.f.g.h===10.1.9.100/32

sending encrypted notification INVALID_MESSAGE_ID to e.f.g.h:500
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xaaaaaaaaa (perhaps this is a duplicated packet)

TIA,
Albert


More information about the Users mailing list