LARTC - Sep 2007 - Exclude service from IPSec, using ipsec-tools

Hi All,

I''m trying to setup a VPN Between a Linux Box (CentOS 4) and Check
Point FW-1 (NGX R65) and I actually already done this. However I''m
having a problem with Policy "none" when using ports, for example, I
want to exclude
from VPN the "ssh" service, so my commands to setkey was.

# Excluded services ssh
spdadd 172.20.0.0/16[any] 172.16.0.0/16[22] tcp -P out none ;
spdadd 172.16.0.0/16[22] 172.20.0.0/16[any] tcp -P in none ;
spdadd 172.20.0.0/16[22] 172.16.0.0/16[any] tcp -P out none ;
spdadd 172.16.0.0/16[any] 172.20.0.0/16[22] tcp -P in none ;


spdadd 172.20.14.168 172.16.0.0/16 any -P out ipsec
esp/tunnel/192.168.80.33-192.168.80.129/require ;

spdadd 172.16.0.0/16 172.20.14.168 any -P in ipsec
esp/tunnel/192.168.80.129-192.168.80.33/require ;


spdadd 172.20.14.168 172.17.0.0/16 any -P out ipsec
esp/tunnel/192.168.80.33-192.168.80.129/require ;

spdadd 172.17.0.0/16 172.20.14.168 any -P in ipsec
esp/tunnel/192.168.80.129-192.168.80.33/require ;


Note that at this time I''m just make a VPN to one host on remote
location (172.20.14.168), the problem is when I use the policy to
exclude ssh the machines from 172.16/16 network are unable to connect
to remote host, the racoon say:
2007-09-14 09:48:14: DEBUG: suitable SP found:172.20.14.168/32[0]
172.16.0.0/16[0] proto=any dir=out
2007-09-14 09:48:14: ERROR: policy found, but no IPsec required:
172.20.14.168/32[0] 172.16.0.0/16[0] proto=any dir=out

So I can''t understand what is the problem, some mistake on my config?

Thanks in advance,

Klaubert