[Openswan Users]
[Checkpoint inter-operability] Ping A->B must be issued before
ping B->A works
DIAS DA SILVALoïc
mglcel at mglcel.com
Wed Oct 19 15:32:30 CEST 2005
Hi,
I have a very little appointment with an ipsec tunnel between openswan
2.2.0-8 (debian stable) and checkpoint fw-1.
A] My configuration represents this tunnel :
west: 172.16.(49/50).0/24 --> [172.16.(49/50).254 / 192.168.1.2] -->
{192.168.1.1 / IPEXT1}(cisco)
====
east: [IPEXT2 / 10.234.(120/122).254] --> 10.234.(120/122).0/(23/25)
the tunnel is established between 192.168.1.2(via a port redirection
from IPEXT1) and IPEXT2
B] with this ipsec.conf :
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
---------------------------------------------------------
config setup
nat_traversal=yes
interfaces=%defaultroute
klipsdebug=control
plutodebug=control
uniqueids=yes
dumpdir=/root
# default configuration
-------------------------------------------------------
conn %default
#keyingtries=3
#ikelifetime=3h
keylife=1h
#disablearrivalcheck=no
authby=secret
left=192.168.1.2
leftnexthop=192.168.1.1
right=%any
rightnexthop=%defaultroute
esp=aes256-md5
ike=3des-md5
pfs=no
auto=start
# NET TO NET
------------------------------------------------------------------
conn eastNET1-to-westNET1
leftsubnet=172.16.49.0/24
rightsubnet=10.234.120.0/23
right=81.80.43.10
conn eastNET1-to-westNET2
leftsubnet=172.16.50.0/24
rightsubnet=10.234.120.0/23
right=81.80.43.10
conn eastNET2-to-westNET1
leftsubnet=172.16.49.0/24
rightsubnet=10.234.122.0/25
right=81.80.43.10
conn eastNET2-to-westNET2
leftsubnet=172.16.50.0/24
rightsubnet=10.234.122.0/25
right=81.80.43.10
# GW TO NET
-------------------------------------------------------------------
conn eastGW-to-westNET1
leftsubnet=172.16.49.0/24
right=81.80.43.10
conn eastGW-to-westNET2
leftsubnet=172.16.50.0/24
right=81.80.43.10
# NET TO GW
-------------------------------------------------------------------
conn eastNET1-to-westGW
rightsubnet=10.234.120.0/23
right=81.80.43.10
conn eastNET2-to-westGW
rightsubnet=10.234.122.0/25
right=81.80.43.10
# GW TO GW
--------------------------------------------------------------------
conn eastGW-to-westGW
right=81.80.43.10
# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
C] My problem is :
I have to issue a ping from 172.16.49.0/24 to 10.234.120.0/23
(swan->fw-1) before the ping from 10.234.120.0/23 to 172.16.49.0/24
(fw-1->swan) works.
If i do this first ping, all is ok, in the two sides. But it works for
about 10 minutes.
After these 10 minutes, i have to re-issue a ping.
The same thing occurs between the subnets 172.16.49.0/24 and
10.234.122.0/25 for example.
The more strange thing i can say is that no log is written while
performing this operation :
The logs are verbose (with 'control' or 'all') while the tunnel mounts,
then all works fine between 10 minutes.
But when the ping is not possible and then becomes possible when i issue
the first ping, there is no logs.
Any idea ?
Thanks for any piece of answer.
DIAS DA SILVA Loïc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051019/0a41599b/attachment-0001.htm
More information about the Users
mailing list