[Openswan Users] VPN between openswan and Checkpoint

Wed Jan 10 08:22:32 EST 2007

Hello,

we are just trying to set up a network-network VPN connection between a 
Checkpoint (VPN-1, i suppose) and an openswan (2.4.4 on suse 9.3).

The setup on my side is:

config setup

        plutodebug="none"
        interfaces="ipsec0=eth0"
        nat_traversal=yes
        plutowait=yes

....

conn to_the_customer
        type=tunnel
        right=MY_GW_IP
        rightid=MY_GW_IP
        rightsubnet=MY_SUBNET/25
        rightnexthop=MY_ROUTERIP
        left=HIS_GW_IP
        leftsubnet=HIS_SUBNET/24
        leftid=HIS_GW_IP
        ike="3des-md5-modp1024!"
        esp="3des-md5!"
        pfs=no
        authby=secret
        auth=esp
        keyingtries=3
        auto=add

What happens, when i inititate the connection, is, that i get an IPSEC 
SA established. So far so good.
At once, the other side tries to establish an IPSEC SA with ONE ip, lets 
call it HIS_IP/32, out of HIS_SUBNET/24, and wants to establish an SA 
for MY_SUBNET/25===HIS_SUBNET/32. Since i don't have a connection 
definition for HIS_IP/32, the SA doesn't get established:

(right after establishing ISAKMP SA)
cannot respond to IPsec SA request because no connection is known for 
MY_SUBNET/25===MY_GW_IP...HIS_GW_IP===HIS_IP/32

So on my side we have an SA for the two nets, and nothing on his side. 
Result: I can ping his host, but he doesn't get any connection to one 
of my hosts. 
A workaround is to change the leftsubnet to HIS_IP/32, but there are 300 
hosts on the other side (some other nets in addition to the above one), 
so its not a real solution.

I found this one
http://lists.openswan.org/pipermail/users/2006-April/008933.html
but here, my openswan is the initiator and it fails anyhow.

Is this a known problem?
Is there any other solution besides the above mentioned /32-solution 
(and besides ip-ip tunnel plus transport mode solutions) ?

regards and thanks in advance

Andreas Mueller