[Openswan Users]
cannot respond to IPsec SA request because no connection is known
for 0.0.0.0/0
Gregor Bethlen
saphira at bethlen.de
Thu Jul 15 13:43:41 CEST 2004
Hello list,
I'm trying to get worm with OpenS/WAN, though I'm trying to set up a test installation. My experience with openswan is nearly NULL, so maybe my question is dumb. I looked around in the mailinglist and found users with the same problem, but the origin of the problem was another. You will see.
I got 2 systems.
1 VPN-Server
openswan 2.1.4
suse linux 9.1 professional
kernel 2.6.4 (shipped with suse)
compiling and installation of openswan (userland) went right through
IP 192.168.1.1 SUbnet 255.255.255.0
1 Windows XP-System
IP 192.168.1.2 subnet 255.255.255.0
Both systems connected with a hub (connectivity OK)
My ipsec.conf:
-------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/share/doc/packages/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
# Certificate Revocation List handling
#crlcheckinterval=600
#strictcrlpolicy=yes
# Change rp_filter setting, default = 0 (switch off)
#rp_filter=%unchanged
# Switch on NAT-Traversal (if patch is installed)
#nat_traversal=no
# default settings for connections
conn %default
# Default: %forever (try forever)
#keyingtries=3
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
# OE policy groups are disabled by default
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
#conn OEself
# auto=ignore
# Add connections here.
conn vpntest
left=192.168.1.1
leftcert=/root/vpncert.der
leftid=[X.500-Name protected]
leftca=[X.500-Name protected]
leftrsasigkey=%cert
#leftsubnet=192.168.1.0/24
right=%any
#rightnexthop=192.168.1.2
rightid=[X.500-Name protected]
rightca=%same
rightrsasigkey=%cert
rightsubnet=192.168.1.0/24
auto=add
-------
As you can see, I tried several options (with leftsubnet, without, with rightnexthop, without, all the same)
When I try to ping with my Windows-XP-System, I get the following error on the VPN-Server (/var/log/messages):
------
Jul 15 14:07:37 linux ipsec_setup: Starting Openswan IPsec U2.1.4/K2.6.4-52-default...
Jul 15 14:07:37 linux ipsec_setup: KLIPS ipsec0 on eth0 192.168.1.1/255.255.255.0 broadcast 192.168.1.255
Jul 15 14:07:38 linux ipsec__plutorun: Starting Pluto subsystem...
Jul 15 14:07:38 linux ipsec_setup: ...Openswan IPsec started
Jul 15 14:07:38 linux pluto[6809]: Starting Pluto (Openswan Version 2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Jul 15 14:07:38 linux pluto[6809]: including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 15 14:07:38 linux pluto[6809]: Using Linux 2.6 IPsec interface code
Jul 15 14:07:38 linux pluto[6809]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 15 14:07:38 linux pluto[6809]: loaded cacert file 'cacert.pem' (2411 bytes)
Jul 15 14:07:38 linux pluto[6809]: Changing to directory '/etc/ipsec.d/crls'
Jul 15 14:07:38 linux pluto[6809]: Warning: empty directory
Jul 15 14:07:38 linux pluto[6809]: loaded host cert file '/root/vpncert.der' (1100 bytes)
Jul 15 14:07:38 linux pluto[6809]: added connection description "vpntest"
Jul 15 14:07:38 linux pluto[6809]: listening for IKE messages
Jul 15 14:07:38 linux pluto[6809]: adding interface eth0/eth0 192.168.1.1
Jul 15 14:07:38 linux pluto[6809]: adding interface lo/lo 127.0.0.1
Jul 15 14:07:38 linux pluto[6809]: adding interface lo/lo ::1
Jul 15 14:07:38 linux pluto[6809]: loading secrets from "/etc/ipsec.secrets"
Jul 15 14:07:38 linux pluto[6809]: loaded private key file '/etc/ipsec.d/private/user.key' (497 bytes)
Jul 15 14:08:02 linux pluto[6809]: packet from 192.168.1.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jul 15 14:08:02 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: responding to Main Mode from unknown peer 192.168.1.2
Jul 15 14:08:02 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: transition from state (null) to state STATE_MAIN_R1
Jul 15 14:08:02 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: Peer ID is ID_DER_ASN1_DN: '[X.500-Name protected]'
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: issuer crl not found
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: issuer crl not found
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: sent MR3, ISAKMP SA established
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.1.1[[X.500-Name protected],S=C]...192.168.1.2[[X.500-Name protected],S=C]
Jul 15 14:08:04 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xdf003c6b (perhaps this is a duplicated packet)
-------
I ALWAYS get "cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0", even though I don't have defined the subnet 0.0.0.0/0 anywhere (neither leftsubnet, nor rightsubnet). Standardgateway on my VPN-Server is 192.168.1.20 (doesn't exist, but having none gets me error regarding defaultroute).
Initiated is this through a ping on my Win-XP-System. The "response" of ping is "Negotiating IP Security".
Having "plutodebug=all" in ipsec.conf tells me the authentication succeeded. So this seems to work. But my VPN-Server can't respond to pings.
Any help would be greatly appreciated.
Thanks,
Gregor
____________________________________________________
Aufnehmen, abschicken, nah sein - So einfach ist
WEB.DE Video-Mail: http://freemail.web.de/?mc=021200
More information about the Users
mailing list