[Openswan Users] NTP/IPSEC/CheckPoint problem

[Mauricio Portilho Cavalcanti]

Hi,
This is my topology and problem:

MAIL	---	CHECKPOINT	===	IPSEC === MY FW --- NTP SERVER (UDP
123)
SERVER	FW			TUNNEL			 

I connect from NTP SERVER (10.254.254.3) to MAIL SERVER (192.168.60.7) using
SSH.

My FW is running openswan 2.2.0-8 and I´m trying to connect MAIL SERVER to
my NTP server (is a NAT in MY FW) using protocol UDP port 123.

When I try to use ntpdate form MAIL SERVER to NTP SERVER, all I have in logs
is listed below (auth.log):

Apr  4 21:01:17 MY-FW pluto[14006]: "MYFW-CP" #1444: cannot respond to IPsec
SA request because no connection is known for my-fw-ipaddr...
cp-fw-ipaddr.82===cp-fw-ipaddr.84/32
Apr  4 21:01:17 MY-FW pluto[14006]: "MYFW-CP" #1444: sending encrypted
notification INVALID_ID_INFORMATION to cp-fw-ipaddr.82:500 Apr  4 21:01:19
MY-FW pluto[14006]: "MYFW-CP" #1444: Quick Mode I1 message is unacceptable
because it uses a previously used Message ID 0xc5a62522 (perhaps this is a
duplicated packet) Apr  4 21:01:19 MY-FW pluto[14006]: "MYFW-CP" #1444:
sending encrypted notification INVALID_MESSAGE_ID to cp-fw-ipaddr.82:500 Apr
4 21:01:19 MY-FW pluto[14006]: packet from 200.97.128.34:500: Informational
Exchange is for an unknown (expired?) SA Apr  4 21:01:21 MY-FW pluto[14006]:
"MYFW-CP" #1444: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0xc5a62522 (perhaps this is a duplicated packet)
Apr  4 21:01:21 MY-FW pluto[14006]: "MYFW-CP" #1444: sending encrypted
notification INVALID_MESSAGE_ID to cp-fw-ipaddr.82:500 Apr  4 21:01:23 MY-FW
pluto[14006]: "MYFW-CP" #1444: Quick Mode I1 message is unacceptable because
it uses a previously used Message ID 0xc5a62522 (perhaps this is a
duplicated packet) Apr  4 21:01:23 MY-FW pluto[14006]: "MYFW-CP" #1444:
sending encrypted notification INVALID_MESSAGE_ID to cp-fw-ipaddr.82:500 Apr
4 21:01:25 MY-FW pluto[14006]: "MYFW-CP" #1444: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xc5a62522
(perhaps this is a duplicated packet) Apr  4 21:01:25 MY-FW pluto[14006]:
"MYFW-CP" #1444: sending encrypted notification INVALID_MESSAGE_ID to
cp-fw-ipaddr.82:500 Apr  4 21:01:27 MY-FW pluto[14006]: "MYFW-CP" #1444:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xc5a62522 (perhaps this is a duplicated packet) Apr  4 21:01:27
MY-FW pluto[14006]: "MYFW-CP" #1444: sending encrypted notification
INVALID_MESSAGE_ID to cp-fw-ipaddr.82:500 Apr  4 21:01:29 MY-FW
pluto[14006]: "MYFW-CP" #1444: Quick Mode I1 message is unacceptable because
it uses a previously used Message ID 0xc5a62522 (perhaps this is a
duplicated packet) Apr  4 21:01:29 MY-FW pluto[14006]: "MYFW-CP" #1444:
sending encrypted notification INVALID_MESSAGE_ID to cp-fw-ipaddr.82:500

My ipsec.conf:
conn MYFW-CP
        authby=secret
        left=my-fw-ipaddr
        leftsubnet=10.254.254.0/24
        leftnexthop= my-fw-ipaddr-router
        right= cp-fw-ipaddr.82
        rightsubnet=192.168.60.7/32
        keyexchange=ike
        auth=esp
        pfs=no
        auto=start

All (except this one) my MAIL SERVERS connects to MY FW using UDP port 123
(NAT to NTP SERVER). I don´t have access to CheckPoint configuration.

Anyone can help to debug this?

Thanks in advance,
Mauricio.