[Openswan Users] VPN between openswan and Checkpoint
andreas.mueller at varetis.de
Wed Jan 10 08:22:32 EST 2007
we are just trying to set up a network-network VPN connection between a
Checkpoint (VPN-1, i suppose) and an openswan (2.4.4 on suse 9.3).
The setup on my side is:
What happens, when i inititate the connection, is, that i get an IPSEC
SA established. So far so good.
At once, the other side tries to establish an IPSEC SA with ONE ip, lets
call it HIS_IP/32, out of HIS_SUBNET/24, and wants to establish an SA
for MY_SUBNET/25===HIS_SUBNET/32. Since i don't have a connection
definition for HIS_IP/32, the SA doesn't get established:
(right after establishing ISAKMP SA)
cannot respond to IPsec SA request because no connection is known for
So on my side we have an SA for the two nets, and nothing on his side.
Result: I can ping his host, but he doesn't get any connection to one
of my hosts.
A workaround is to change the leftsubnet to HIS_IP/32, but there are 300
hosts on the other side (some other nets in addition to the above one),
so its not a real solution.
I found this one
but here, my openswan is the initiator and it fails anyhow.
Is this a known problem?
Is there any other solution besides the above mentioned /32-solution
(and besides ip-ip tunnel plus transport mode solutions) ?
regards and thanks in advance
More information about the Users