[Openswan Users] checkpoint NG AI and Openswan 2.1.2

Warnes, Jason SktnHR jason.warnes at saskatoonhealthregion.ca
Fri Mar 11 11:44:37 CET 2005

I'm new to the list,  but I hope this helps.

I was running into a similar no valid SA problem with my Cisco PIX.  The
problem I had was that the for each subnet that is defined on the PIX side
of the VPN I needed a corresponding conn definition in my ipsec.conf file.
I couldn't use a generic conn definition that covered all the subnets with a
larger mask.  So basically what this did was make separate SAD entries for
each subnet I was going to on my Linux box.

When you're tunnel is up, check to see how many SAD entries you have and
compare that to how many your Checkpoint is expecting.  There should be a
way to see that on your Checkpoint.  Then just make sure that all the SPI
numbers line up to each subnet properly.


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Ji Hui
Sent: Friday, March 11, 2005 9:19 AM
To: users at openswan.org
Subject: [Openswan Users] checkpoint NG AI and Openswan 2.1.2


I was trying to configure site-to-site VPN with my partner who is using
Checkpoint NG AI R55.

I could establish the VPN from openswan to NG, but the other direction is
failed. And sometime, the packets were dropped by NG, complaining no valid

Any advice? 

thank you.
Users mailing list
Users at openswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050311/dea66180/attachment.htm

More information about the Users mailing list