[Openswan Users] cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0

Gregor Bethlen saphira at bethlen.de
Thu Jul 15 13:43:41 CEST 2004


Hello list,

I'm trying to get worm with OpenS/WAN, though I'm trying to set up a test installation. My experience with openswan is nearly NULL, so maybe my question is dumb. I looked around in the mailinglist and found users with the same problem, but the origin of the problem was another. You will see.

I got 2 systems.

1 VPN-Server
openswan 2.1.4
suse linux 9.1 professional
kernel 2.6.4 (shipped with suse)

compiling and installation of openswan (userland) went right through

IP 192.168.1.1 SUbnet 255.255.255.0


1 Windows XP-System
IP 192.168.1.2 subnet 255.255.255.0


Both systems connected with a hub (connectivity OK)


My ipsec.conf:

-------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# This file:  /usr/share/doc/packages/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help:
# http://www.strongsec.com/freeswan/install.htm

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	interfaces=%defaultroute
	klipsdebug=none
	plutodebug=none
	# Certificate Revocation List handling
	#crlcheckinterval=600
	#strictcrlpolicy=yes
	# Change rp_filter setting, default = 0 (switch off)
	#rp_filter=%unchanged
	# Switch on NAT-Traversal (if patch is installed)
	#nat_traversal=no

# default settings for connections
conn %default
	# Default: %forever (try forever)
	#keyingtries=3
	# Sig keys (default: %dnsondemand)
	leftrsasigkey=%cert
	rightrsasigkey=%cert
	# Lifetimes, defaults are 1h/8hrs
	#ikelifetime=20m
	#keylife=1h
	#rekeymargin=8m

# OE policy groups are disabled by default

conn block
	auto=ignore

conn clear
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn packetdefault
	auto=ignore

#conn OEself
#	auto=ignore

# Add connections here.

conn vpntest
	left=192.168.1.1
	leftcert=/root/vpncert.der
	leftid=[X.500-Name protected]
	leftca=[X.500-Name protected]
	leftrsasigkey=%cert
	#leftsubnet=192.168.1.0/24
	right=%any
	#rightnexthop=192.168.1.2
	rightid=[X.500-Name protected]
	rightca=%same
	rightrsasigkey=%cert
	rightsubnet=192.168.1.0/24
	auto=add
-------

As you can see, I tried several options (with leftsubnet, without, with rightnexthop, without, all the same)

When I try to ping with my Windows-XP-System, I get the following error on the VPN-Server (/var/log/messages):

------
Jul 15 14:07:37 linux ipsec_setup: Starting Openswan IPsec U2.1.4/K2.6.4-52-default...
Jul 15 14:07:37 linux ipsec_setup: KLIPS ipsec0 on eth0 192.168.1.1/255.255.255.0 broadcast 192.168.1.255 
Jul 15 14:07:38 linux ipsec__plutorun: Starting Pluto subsystem...
Jul 15 14:07:38 linux ipsec_setup: ...Openswan IPsec started
Jul 15 14:07:38 linux pluto[6809]: Starting Pluto (Openswan Version 2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Jul 15 14:07:38 linux pluto[6809]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Jul 15 14:07:38 linux pluto[6809]: Using Linux 2.6 IPsec interface code
Jul 15 14:07:38 linux pluto[6809]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 15 14:07:38 linux pluto[6809]:   loaded cacert file 'cacert.pem' (2411 bytes)
Jul 15 14:07:38 linux pluto[6809]: Changing to directory '/etc/ipsec.d/crls'
Jul 15 14:07:38 linux pluto[6809]:   Warning: empty directory
Jul 15 14:07:38 linux pluto[6809]:   loaded host cert file '/root/vpncert.der' (1100 bytes)
Jul 15 14:07:38 linux pluto[6809]: added connection description "vpntest"
Jul 15 14:07:38 linux pluto[6809]: listening for IKE messages
Jul 15 14:07:38 linux pluto[6809]: adding interface eth0/eth0 192.168.1.1
Jul 15 14:07:38 linux pluto[6809]: adding interface lo/lo 127.0.0.1
Jul 15 14:07:38 linux pluto[6809]: adding interface lo/lo ::1
Jul 15 14:07:38 linux pluto[6809]: loading secrets from "/etc/ipsec.secrets"
Jul 15 14:07:38 linux pluto[6809]:   loaded private key file '/etc/ipsec.d/private/user.key' (497 bytes)
Jul 15 14:08:02 linux pluto[6809]: packet from 192.168.1.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jul 15 14:08:02 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: responding to Main Mode from unknown peer 192.168.1.2
Jul 15 14:08:02 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: transition from state (null) to state STATE_MAIN_R1
Jul 15 14:08:02 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: Peer ID is ID_DER_ASN1_DN: '[X.500-Name protected]'
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: issuer crl not found
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: issuer crl not found
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: sent MR3, ISAKMP SA established
Jul 15 14:08:03 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.1.1[[X.500-Name protected],S=C]...192.168.1.2[[X.500-Name protected],S=C]
Jul 15 14:08:04 linux pluto[6809]: "vpntest"[1] 192.168.1.2 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xdf003c6b (perhaps this is a duplicated packet)
-------


I ALWAYS get "cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0", even though I don't have defined the subnet 0.0.0.0/0 anywhere (neither leftsubnet, nor rightsubnet). Standardgateway on my VPN-Server is 192.168.1.20 (doesn't exist, but having none gets me error regarding defaultroute).

Initiated is this through a ping on my Win-XP-System. The "response" of ping is "Negotiating IP Security".

Having "plutodebug=all" in ipsec.conf tells me the authentication succeeded. So this seems to work. But my VPN-Server can't respond to pings.

Any help would be greatly appreciated.

Thanks,

Gregor
____________________________________________________
Aufnehmen, abschicken, nah sein - So einfach ist 
WEB.DE Video-Mail: http://freemail.web.de/?mc=021200



More information about the Users mailing list