Try unchecking "Support Key Exchange for Subnets" on the Checkpoint
side in the FW Object's "VPN-->VPN Advanced" section.
Use the "vpn tu" command on the module for status of phase one and
phase two SAs and to kill tunnels.
The "packet is dropped because there is no valid SA" error message is
usally a phase two error having to do, most of the times, with
encryption domain mismatches. Your phase one is fine.
Are you using NAT inside of the VPN?
rgds,
fwguru
On Thu, 23 Dec 2004 11:47:44 +0100, Michael Schwartzkopff
<ccse_fw1 AT multinet DOT de> wrote:
> Hi
>
> I've got a problem establishing a tunnel between a Linux box and a Checkpoint
> Firewall.
>
> Behind the Checkpoint Firewall several clients are located in one subnet. We
> grouped them together in one group. Behind the Linux Firewall with FreeSWAN
> there are two servers with the addresses x.x.x.127 and x.x.x.121.
>
> First the tunnel was defined only for the first server and everything was OK.
> But then we added the second server as destination to the tunnel. The
> encryption domain behind the Linux Firewall is a group of the two servers.
>
> Now a ping to the first server works, but not to the second. The error message
> is: "encryption fail reason: Packet is dropped because
> there is no valid SA - please refer to solution sk 19423 in Sercure
> Knoledge Database"
>
> Then we tried the following:
> - we defined the complete subnet x.x.x.0/24 as the encryption domain for the
> Linux firewall
> - or we unchecked "Support subnets"
>
> but nothing helped.
>
> The Linux side (ipsec whack --status) says, the tunnel is established.
>
> Is there any checkpoint commany similar to "ipsec whack" to dump the status of
> the connections? Any further help?
>
> Thanks.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
