[Openswan Users] strongswan behind NAT problem - L2TP/IPSEC - "cannot respond to IPsec SA request because no connection is known for"

Andrew Lemin andrew.lemin at monitorsoft.com
Thu Jul 12 06:56:13 EDT 2007 

Hello List.


I hope this is ok, I have also posted this on the strongswan list, but as I am so desperate for help and most of the great comments
I have seen from people have been mostly on openswan, and as the distros are very similar I thought I would post here too. I hope
this is ok, I am sorry in advance if cross posting is bad.


I am having real trouble with running strongswan behind NAT for an L2TP/IPSec implementation.

I have been working on this for nearly a month now without success :o( I am fairly new to 'swan' implementations and I really need
some help. Please!

I have looked through all the guides and lists I can find but still with no luck.
Thank you in advance.

I am getting the error:

"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: cannot respond to IPsec SA request because no connection is
known for <SERVER-PUBLIC-IP>/32===192.168.214.2:4500[C=GB, ST=yorkshire, L =york, O=MCSLtd, OU=Support, CN=rt2.monitor.york_1,
E=email at address.changed.com]:17/1701...<CLIENT-PUBLIC-IP>:4500[C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN=andrew.lemin_1,
E= email at address.changed.com]:17/%any

"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted notification INVALID_ID_INFORMATION to
88.96.19 3.65:4500


Network Setup;

RoadWarrior Client (clients can potentially have local nets in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Been testing with client
in 192.168.200.0/24)
    |
<CLIENT-NAT-GW-IP>
Client NAT Device
<CLIENT-PUBLIC-IP>
    |
INTERNET
    |
<SERVER-PUBLIC-IP>
Server Side NAT Device (Netgear FVX538)
<192.168.214.1>
    |
<192.168.214.2>
IPSec Server
<192.168.200.15>
    |
LAN I WANT TO ALLOW ACCESS TO (192.168.200.0/24)


Ipsec.conf;

version 2
conn block
	auto=ignore

conn private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

config setup
  plutodebug=control
	nat_traversal=yes

conn rt2.monitor.york__GT__andrew.lemin_0
	auto=start
	authby=rsasig
	left=%defaultroute
	leftprotoport=17/1701
	leftrsasigkey=%cert
	leftcert=rt2.monitor.york_1.pem
	leftid= 
	right=%any
	rightsubnetwithin=192.168.200.0/24
	rightrsasigkey=%cert
	rightid="/C=GB/ST=yorkshire/L=york/O=MCSLtd/OU=Support/CN=andrew.lemin_1/emailAddress=email at address.changed.com"
	rightprotoport=17/%any
	keylife=8h
	ikelifetime=1h
	pfs=no
	keyingtries=1
	ike=3des-md5-modp1024
	esp=3des-md5


Log;

| *received 312 bytes from <CLIENT-PUBLIC-IP>:500 on eth2
packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [MS NT5 I SAKMPOAKLEY 00000004] packet from <CLIENT-PUBLIC-IP>:500:
ignoring Vendor ID payload [FRAGME NTATION] packet from <CLIENT-PUBLIC-IP>:500: received Vendor ID payload [draft-iet
f-ipsec-nat-t-ike-02_n] packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [Vid-Initia l-Contact]
| preparse_isakmp_policy: peer requests RSASIG authentication 
| instantiated "rt2.monitor.york__GT__andrew.lemin_0" for 
| <SERVER-PUBLIC-IP> creating state object #1 at 0x810a3e8
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: respon ding to Main Mode from unknown peer <CLIENT-PUBLIC-IP>
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 next 
| event EVENT_RETRANSMIT in 10 seconds for #1 *received 360 bytes from 
| <CLIENT-PUBLIC-IP>:500 on eth2
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object #1 found, in STATE_MAIN_R1
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: NAT-T raversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both
are NATe d
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds inserting 
| event EVENT_RETRANSMIT, timeout in 10 seconds for #1 next event 
| EVENT_RETRANSMIT in 10 seconds for #1 *received 1404 bytes from 
| <CLIENT-PUBLIC-IP>:4500 on eth2
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object #1 found, in STATE_MAIN_R2
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: Peer ID is ID_DER_ASN1_DN: 'C=GB, ST=yorkshire, L=york, O=MCSLtd,
OU= Support, CN=andrew.lemin_1, E=email at address.changed.com'
| subject: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN =andrew.lemin_1, E=email at address.changed.com'
| issuer: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN= ca2.monitor.york, E=email at address.changed.com'
| authkey: f5:e2:bb:d5:51:73:19:ad:2d:2b:65:96:ea:ea:1c:1a:ab:bd:d7 :89 
| not before : Jan 01 00:00:00 UTC 2000 current time: Jul 12 08:56:01 
| UTC 2007 not after : Jul 06 00:00:00 UTC 2010 certificate is valid 
| issuer cacert found certificate signature is valid crl found crl 
| signature is valid serial number: 03 crl is valid certificate is good
| subject: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN =ca2.monitor.york, E=email at address.changed.com'
| issuer: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN= ca2.monitor.york, E=email at address.changed.com'
| authkey: f5:e2:bb:d5:51:73:19:ad:2d:2b:65:96:ea:ea:1c:1a:ab:bd:d7 :89 
| not before : Jan 01 00:00:00 UTC 2000 current time: Jul 12 08:56:01 
| UTC 2007 not after : Jul 06 00:00:00 UTC 2017 certificate is valid 
| issuer cacert found certificate signature is valid reached self-signed 
| root ca an RSA Sig check passed with *AwEAAdSg1 [preloaded key] peer 
| CA: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support , CN=ca2.monitor.york, E=email at address.changed.com'
| requested CA: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Suppo rt, CN=ca2.monitor.york, E=email at address.changed.com'
| offered CA: 'C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Suppor t, CN=ca2.monitor.york, E=email at address.changed.com'
| our certificate policy is ALWAYS_SEND
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: we ha ve a cert and are sending it
| signing hash with RSA Key *AwEAAeEXt
| NAT-T: new mapping <CLIENT-PUBLIC-IP>:500/4500) inserting event 
| EVENT_SA_REPLACE, timeout in 3330 seconds for #1
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ent MR3, ISAKMP SA established
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds *received 316 bytes 
| from <CLIENT-PUBLIC-IP>:4500 on eth2
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object not found
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object #1 found, in STATE_MAIN_R3 our client is 
| <SERVER-PUBLIC-IP> our client protocol/port is 17/1701 no valid 
| attribute cert found
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: c annot respond to IPsec SA request because no connection is
known for <SERVER-PUBLIC-IP>/32===192.168.214.2:4500[C=GB, ST=yorkshire, L =york, O=MCSLtd, OU=Support, CN=rt2.monitor.york_1,
E=support@ monitorsoft.com]:17/1701...<CLIENT-PUBLIC-IP>:4500[C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN=andrew.lemin_1,
E=support at m onitorsoft.com]:17/%any "rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted
notification INVALID_ID_INFORMATION to <CLIENT-PUBLIC-IP>:4500
| state transition function for STATE_QUICK_R0 failed: INVALID_ID_IN 
| FORMATION next event EVENT_NAT_T_KEEPALIVE in 20 seconds
IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= 192.168.214.1 DST=192.168.214.2 LEN=78 TOS=0x00 PREC=0x00 T TL=64
ID=0 DF PROTO=UDP SPT=1320 DPT=137 LEN=58
| *received 316 bytes from <CLIENT-PUBLIC-IP>:4500 on eth2
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object not found
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object #1 found, in STATE_MAIN_R3
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: Q uick Mode I1 message is unacceptable because it uses a
previously used Message ID 0x6c066afc (perhaps this is a duplicated packet) "rt2.monitor.york__GT__andrew.lemin_0"[1]
<CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted notification INVALID_MESSAGE_ID to <CLIENT-PUBLIC-IP> :4500
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds *received 316 bytes 
| from <CLIENT-PUBLIC-IP>:4500 on eth2
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object not found
| ICOOKIE: 66 b2 74 90 7d 02 46 3b
| RCOOKIE: 7c dd f4 a0 b1 ff 4f 31
| peer: 58 60 c1 41
| state hash entry 5
| state object #1 found, in STATE_MAIN_R3
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: Q uick Mode I1 message is unacceptable because it uses a
previously used Message ID 0x6c066afc (perhaps this is a duplicated packet) "rt2.monitor.york__GT__andrew.lemin_0"[1]
<CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted notification INVALID_MESSAGE_ID to <CLIENT-PUBLIC-IP> :4500


Ipsec status;

# ipsec status
000 "rt2.monitor.york__GT__andrew.lemin_0": 192.168.214.2[C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN=rt2.monitor.york_1,
E=support at monitorso.0/24}; unrouted; eroute owner: #0
000 "rt2.monitor.york__GT__andrew.lemin_0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000

More information about the Users mailing list