[Openswan Users] Checkpoint - OpenSwan connection dropping

Peter McGill petermcgill at goco.net
Mon Jan 8 12:42:00 EST 2007 

> -----Original Message-----
> Date: Mon, 8 Jan 2007 10:13:12 -0000
> From: <Mike.Peters at opengi.co.uk>
> Subject: [Openswan Users] Checkpoint - OpenSwan connection dropping
> To: <users at openswan.org>
> 
> Hi,
> 
> I currently have a Checkpoint <-> OpenS/WAN connection. It works fine
> for a while, in both directions, however the connection drops fairly
> frequently and I cannot re-initiate the connection from the 
> OpenSwan end
> of the connection - the connection re-establishes if I ping from the
> Checkpoint network to the OpenSwan network.
> 
> Does anyone have any ideas what the workaround may be (or any other
> ideas)?
> 
> My ipsec.conf is as follows:
> 
> # basic configuration
> config setup
>   crlcheckinterval=600
>   strictcrlpolicy=no
>   interfaces=%defaultroute
>   nat_traversal=yes
>   uniqueids=yes
>   virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> 
> conn %default
>   keyingtries=3
>   compress=no
>   disablearrivalcheck=no
>   authby=rsasig
>   leftrsasigkey=%cert
>   rightrsasigkey=%cert
>   ikelifetime=3600s
>   keylife=20m
>   left=%defaultroute
> 
> conn net-openswan-net
>   type=transport
>   keyexchange=ike
>   ikelifetime=3h
>   keylife=1h
>   disablearrivalcheck=no
>   authby=secret
>   left=%defaultroute
>   esp=aes128,3des
>   auto=start
>   right=aaa.bbb.ccc.42
> 
> conn checkpoint-openswan
>   type=tunnel
>   keyexchange=ike
>   ikelifetime=3h
>   keylife=1h
>   disablearrivalcheck=no
>   authby=secret
>   left=%defaultroute
>   esp=aes128,3des
>   auto=start
>   right=aaa.bbb.ccc.42
>   rightsubnet=192.168.0.0/24
>   leftsubnet=10.0.0.0/8

When you say "I cannot re-initiate the connection from the OpenSwan end",
Do you mean only auto-renew fails, or manual too?
I see no reason why manual would fail here.
ie) ipsec auto --up checkpoint-openswan
(pings will not renew an openswan conn, they are not "on-demand" in that sense.)

However, to fix auto-renewal, try setting rekey=yes, and keyingtries=%forever in the appropriate conn.
They are defaults, however putting keyingtries=3 in the %default conn, will have overridden the default.
Also make sure that keylife and ikelifetime match the values in the checkpoint configuration.
You can also try enabling dead peer detection if supported by checkpoint.
In openswan is, dpddelay=30, dpdtimeout=120, dpdaction=restart.

All this may help, however I suspect your biggest problem is keyingtries=3 in the %default conn.
Experience has taught me that keyingtries does not reset after a connection is made, so at best
You'll get 2 renewals, before openswan gives up. This doesn't afect incoming conns, so it would
Still allow the checkpoint to renew it, as your ping has done.

Peter

More information about the Users mailing list