[Openswan Users] [Checkpoint inter-operability] Ping A->B must be issued beforeping B->A works

DIAS DA SILVALoïc ldiasdasilva at alapage.com
Wed Nov 2 11:56:01 CET 2005


Hi,

  I have a very little appointment with an ipsec tunnel between openswan
2.2.0-8 (debian stable) and checkpoint fw-1.

A] My configuration represents this tunnel :

west: 172.16.(49/50).0/24 --> [172.16.(49/50).254 / 192.168.1.2] -->
{192.168.1.1 / IPEXT1}(cisco)
  ==== 
east: [IPEXT2 / 10.234.(120/122).254] --> 10.234.(120/122).0/(23/25)

the tunnel is established between 192.168.1.2(via a port redirection
from IPEXT1) and IPEXT2

B] with this ipsec.conf :

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
---------------------------------------------------------
config setup
        nat_traversal=yes
        interfaces=%defaultroute
        klipsdebug=control
        plutodebug=control
        uniqueids=yes
        dumpdir=/root

# default configuration
-------------------------------------------------------
conn %default
        #keyingtries=3
        #ikelifetime=3h
        keylife=1h
        #disablearrivalcheck=no
        authby=secret
        left=192.168.1.2
        leftnexthop=192.168.1.1
        right=%any
        rightnexthop=%defaultroute
        esp=aes256-md5
        ike=3des-md5
        pfs=no
        auto=start

# NET TO NET
------------------------------------------------------------------
conn eastNET1-to-westNET1
        leftsubnet=172.16.49.0/24
        rightsubnet=10.234.120.0/23
        right=81.80.43.10

conn eastNET1-to-westNET2
        leftsubnet=172.16.50.0/24
        rightsubnet=10.234.120.0/23
        right=81.80.43.10

conn eastNET2-to-westNET1
        leftsubnet=172.16.49.0/24
        rightsubnet=10.234.122.0/25
        right=81.80.43.10

conn eastNET2-to-westNET2
        leftsubnet=172.16.50.0/24
        rightsubnet=10.234.122.0/25
        right=81.80.43.10

# GW TO NET
-------------------------------------------------------------------
conn eastGW-to-westNET1
        leftsubnet=172.16.49.0/24
        right=81.80.43.10

conn eastGW-to-westNET2
        leftsubnet=172.16.50.0/24
        right=81.80.43.10

# NET TO GW
-------------------------------------------------------------------
conn eastNET1-to-westGW
        rightsubnet=10.234.120.0/23
        right=81.80.43.10

conn eastNET2-to-westGW
        rightsubnet=10.234.122.0/25
        right=81.80.43.10

# GW TO GW
--------------------------------------------------------------------
conn eastGW-to-westGW
        right=81.80.43.10

# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

C] My problem is :

I have to issue a ping from 172.16.49.0/24 to 10.234.120.0/23
(swan->fw-1) before the ping from 10.234.120.0/23 to 172.16.49.0/24
(fw-1->swan) works.
If i do this first ping, all is ok, in the two sides. But it works for
about 10 minutes.
After these 10 minutes, i have to re-issue a ping.

The same thing occurs between the subnets 172.16.49.0/24 and
10.234.122.0/25 for example.

The more strange thing i can say is that no log is written while
performing this operation :
The logs are verbose (with 'control' or 'all') while the tunnel mounts,
then all works fine between 10 minutes.
But when the ping is not possible and then becomes possible when i issue
the first ping, there is no logs.

I've solved the problem issuing three pings all seconds from a server in
the range 172.16.49.0/24 to the other end point but it is not a good
solution as you can figure out.

Any idea ?

Thanks for any piece of answer.

--
DIAS DA SILVA Loïc
Chef de projet technique
Ingénieur des systèmes GNU/Linux
France Télécom VSOL
Tél: 01.58.94.37.36
Key fingerprint = 3277 5D67 41C9 D6A5 6267  5D78 0DF0 88CE C43C AAA2


***********************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de ses destinataires.Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur.
***********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not receiver of this message, please cancel it immediately and inform the sender.
************************************


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051102/becdff8a/attachment-0001.htm


More information about the Users mailing list