[Openswan Users] WinXP and "cannot respond to IPsec"

Dennis Leist dl at byteeffect.de
Wed Mar 10 13:43:06 CET 2004 

Hi all,

I need to set up a VPN-Server located behind a Speed Touch Router. It's 
IP is static.

The linux box is currently running under SUSE 9.0 with 
freeswan-2.04_1.4.8-12.

/---------------\        /---------------\        /---------------\    
          /---------------\
| Linux 2.4.19  |        |  Speed Touch  |        | w-Lan Router  |    
          | WINX XP       |
| 192.168.0.70  |<-------|  192.168.0.1  |<-------| WAN-IP:       
|<-------------| W-LAN-IP:     |
|               |        |  62.3.4.5     |        | 80.129.5.6    |    
          | 192.168.1.10  |
\---------------/        \---------------/        \---------------/    
          \---------------/

I think the problem I encounter is the connection from the linux box 
back to the client
because I see an "exceeded timelimit" in oakley.log.

I get the following in v/l/m:

vpnserver pluto[19387]: packet from 80.129.5.6:500: ignoring Vendor ID 
payload [MS NT5 ISAKMPOAKLEY 00000003]
vpnserver pluto[19387]: "vpngateway"[25] 80.129.5.6 #13: responding to 
Main Mode from unknown peer 80.129.5.6
vpnserver pluto[19387]: "vpngateway"[25] 80.129.5.6 #13: Peer ID is 
ID_DER_ASN1_DN: 'C=DE, CN=((CN))'
vpnserver pluto[19387]: "vpngateway"[26] 80.129.5.6 #13: deleting 
connection "vpngateway" instance with peer
80.129.5.6 {isakmp=#0/ipsec=#0}
vpnserver pluto[19387]: "vpngateway"[26] 80.129.5.6 #13: sent MR3, 
ISAKMP SA established
vpnserver pluto[19387]: "vpngateway"[26] 80.129.5.6 #13: cannot respond 
to IPsec SA request because no connection is
known for 
62.3.4.5/32===192.168.0.70[CN=((CN))]:17/0...80.129.5.6[CN=(CN)]:17/1701===192.168.1.10/32
vpnserver pluto[19387]: "vpngateway"[26] 80.129.5.6 #13: Quick Mode I1 
message is unacceptable because it uses a prev
iously used Message ID 0xfadc470d (perhaps this is a duplicated packet)

What do I need to change in ipsec.conf to make it run?



the ipsec.conf
<snip ipsec.conf>

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none

conn %default
        authby=rsasig



conn vpngateway
    left=192.168.0.70       
        leftnexthop=192.168.0.1
        leftrsasigkey=%cert
        leftcert=gatecert.pem
        leftprotoport=17/1701
        right=%any
        rightrsasigkey=%cert
        pfs=no
        rightprotoport=17/0
        keyingtries=0
        disablearrivalcheck=no
        auto=add

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

conn OEself
    auto=ignore

<snap : ipsec.conf>

More information about the Users mailing list