[Openswan Users] freeswan-1.99: cannot respond to IPsec SA
Jacco de Leeuw
jacco2 at dds.nl
Mon Mar 29 19:38:53 CEST 2004
Dennis Leist wrote:
> vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: cannot respond
> to IPsec SA request because no connection is known for
> 62.206.19.146[C=DE, ST=Hamburg, L=Hamburg, CN=<Admin
^^^^^^
> CN>]:17/0...213.39.205.80[C=DE, ST=Koeln, CN=<User
> CN>]:17/1701==={192.168.1.99/32}
You always have to take a "no connection known" error literally.
Compare this with your ipsec.conf:
> conn w2k-client
> left=62.210.20.146
^^^^^^
> leftnexthop=62.210.20.145
> leftprotoport=17/0
> right=%any
> rightrsasigkey=%cert
> pfs=no
> rightsubnet=192.168.1.99/32
> rightprotoport=17/1701
> keyingtries=0
There is some disagreement on what the server's IP address is.
Also, the XP or W2K client is behind NAT but it seems you are using
IPsec passthrough and not NAT-Traversal (because you use 17/0). I am
not sure if Transport Mode (which is required by L2TP over IPsec)
is supported by IPsec passthrough.
Here are your options:
- Use plain IPsec in Tunnel Mode (with Marcus Mueller's IPSEC.EXE tool)
instead of L2TP over IPsec, and continue to use IPsec passthrough.
- Install the IPsec NAT-T update on the XP/W2K client and enable NAT-T
on the server too.
You might also want to set keyingtries to something else than 0,
because now it will continuously try to set up a connection.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list