It seems that at some point the Huawei firewall renegotiates the phase 2 SAs way before it even expires (default 3600 seconds); this only happens on outbound traffic (my side), the inbound SA (again my side) is correct and I can receive echo request packets from the LAN behind the Huawei firewall.
I've experienced this situations in the past, either with Eudemon or with other vpn gateway (sonicwall, watchguard). After analyzing the packets with IKEVIEW, I found out that the domain encryptions reading did not match. For NGAI R55, my solution is to disable "support key exchange for subnets". For NGXR60, my solution is to ask my partner to change the domain encryption as read by Check Point in IKEVIEW. rgds, Ali HS On 7/10/07, Millan, Raul <[EMAIL PROTECTED]> wrote:
Hi everybody. I need to establish an IPSEC tunnel with a Huawei firewall model Eudemon 200. Everything seems to work fine for some minutes, then the outgoing traffic from my end to the Huawei's end is dropped at the destination; according to Huawei the firewall complains that the SA is invalid. It seems that at some point the Huawei firewall renegotiates the phase 2 SAs way before it even expires (default 3600 seconds); this only happens on outbound traffic (my side), the inbound SA (again my side) is correct and I can receive echo request packets from the LAN behind the Huawei firewall. We've check the SAs using vpn -u on our side, and my outbound SA is different than their inbound SA, this is strange since this usually happens way before the 3600 seconds are up (phase 2). I'm using a cluster of secureplatform servers running R60, with a single VPN community for all my other customers VPNs; this is the only one giving me a hard time. Any ideas would be of great help, since we've been at this for a number of weeks now, and we're really starting to run out of good ideas. Thanks, Raúl
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
