[Openswan Users]
[Checkpoint inter-operability] Ping A->B must be issued beforeping
B->A works
DIAS DA SILVALoïc
ldiasdasilva at alapage.com
Wed Nov 2 11:56:01 CET 2005
Hi,
I have a very little appointment with an ipsec tunnel between openswan
2.2.0-8 (debian stable) and checkpoint fw-1.
A] My configuration represents this tunnel :
west: 172.16.(49/50).0/24 --> [172.16.(49/50).254 / 192.168.1.2] -->
{192.168.1.1 / IPEXT1}(cisco)
====
east: [IPEXT2 / 10.234.(120/122).254] --> 10.234.(120/122).0/(23/25)
the tunnel is established between 192.168.1.2(via a port redirection
from IPEXT1) and IPEXT2
B] with this ipsec.conf :
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
---------------------------------------------------------
config setup
nat_traversal=yes
interfaces=%defaultroute
klipsdebug=control
plutodebug=control
uniqueids=yes
dumpdir=/root
# default configuration
-------------------------------------------------------
conn %default
#keyingtries=3
#ikelifetime=3h
keylife=1h
#disablearrivalcheck=no
authby=secret
left=192.168.1.2
leftnexthop=192.168.1.1
right=%any
rightnexthop=%defaultroute
esp=aes256-md5
ike=3des-md5
pfs=no
auto=start
# NET TO NET
------------------------------------------------------------------
conn eastNET1-to-westNET1
leftsubnet=172.16.49.0/24
rightsubnet=10.234.120.0/23
right=81.80.43.10
conn eastNET1-to-westNET2
leftsubnet=172.16.50.0/24
rightsubnet=10.234.120.0/23
right=81.80.43.10
conn eastNET2-to-westNET1
leftsubnet=172.16.49.0/24
rightsubnet=10.234.122.0/25
right=81.80.43.10
conn eastNET2-to-westNET2
leftsubnet=172.16.50.0/24
rightsubnet=10.234.122.0/25
right=81.80.43.10
# GW TO NET
-------------------------------------------------------------------
conn eastGW-to-westNET1
leftsubnet=172.16.49.0/24
right=81.80.43.10
conn eastGW-to-westNET2
leftsubnet=172.16.50.0/24
right=81.80.43.10
# NET TO GW
-------------------------------------------------------------------
conn eastNET1-to-westGW
rightsubnet=10.234.120.0/23
right=81.80.43.10
conn eastNET2-to-westGW
rightsubnet=10.234.122.0/25
right=81.80.43.10
# GW TO GW
--------------------------------------------------------------------
conn eastGW-to-westGW
right=81.80.43.10
# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
C] My problem is :
I have to issue a ping from 172.16.49.0/24 to 10.234.120.0/23
(swan->fw-1) before the ping from 10.234.120.0/23 to 172.16.49.0/24
(fw-1->swan) works.
If i do this first ping, all is ok, in the two sides. But it works for
about 10 minutes.
After these 10 minutes, i have to re-issue a ping.
The same thing occurs between the subnets 172.16.49.0/24 and
10.234.122.0/25 for example.
The more strange thing i can say is that no log is written while
performing this operation :
The logs are verbose (with 'control' or 'all') while the tunnel mounts,
then all works fine between 10 minutes.
But when the ping is not possible and then becomes possible when i issue
the first ping, there is no logs.
I've solved the problem issuing three pings all seconds from a server in
the range 172.16.49.0/24 to the other end point but it is not a good
solution as you can figure out.
Any idea ?
Thanks for any piece of answer.
--
DIAS DA SILVA Loïc
Chef de projet technique
Ingénieur des systèmes GNU/Linux
France Télécom VSOL
Tél: 01.58.94.37.36
Key fingerprint = 3277 5D67 41C9 D6A5 6267 5D78 0DF0 88CE C43C AAA2
***********************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires.Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur.
***********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not receiver of this message, please cancel it immediately and inform the sender.
************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051102/becdff8a/attachment-0001.htm
More information about the Users
mailing list