[Openswan Users] freeswan-1.99: cannot respond to IPsec SA

Dennis Leist dl at byteeffect.de
Mon Mar 29 22:37:59 CEST 2004


Jacco de Leeuw schrieb:

> Dennis Leist wrote:
>
>> vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: cannot 
>> respond to IPsec SA request because no connection is known for 
>> 62.206.19.146[C=DE, ST=Hamburg, L=Hamburg, CN=<Admin 
>
>      ^^^^^^


>> CN>]:17/0...213.39.205.80[C=DE, ST=Koeln, CN=<User 
>> CN>]:17/1701==={192.168.1.99/32}
>
>
> You always have to take a "no connection known" error literally.
> Compare this with your ipsec.conf:
>
>> conn w2k-client
>>        left=62.210.20.146
>
>                  ^^^^^^

Well; it's my fault, cause the server's IP is: 62.210.20.146 as defined 
in ipsec.conf.
So the error is like this:

vpnserver pluto[27464]: packet from 213.39.182.221:500: ignoring Vendor 
ID payload
vpnserver pluto[27464]: "w2k-client"[5] 213.39.182.221 #3: responding to 
Main Mode from unknown peer 213.39.182.221
vpnserver pluto[27464]: "w2k-client"[5] 213.39.182.221 #3: only 
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
vpnserver pluto[27464]: "w2k-client"[5] 213.39.182.221 #3: Peer ID is 
ID_DER_ASN1_DN: 'C=DE, ST=Koeln, O=<company>, OU=<section>, 
CN=<Roadwarrior>, E=<rodwarrior at company.com>'
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: deleting 
connection "w2k-client" instance with peer 213.39.182.221
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: sent MR3, 
ISAKMP SA established
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: cannot 
respond to IPsec SA request because no connection is known for 
62.210.20.146[C=DE, ST=Hamburg, L=Hamburg, O=<company>, OU=<other 
section>, CN=Dennis 
Leist,E=<dennis at company.com>]:17/0...213.39.182.221[C=DE, ST=Koeln, 
O=<company>, OU=<section>, CN=<Roadwarrior>, 
E=<rodwarrior at company.com>]:17/1701===192.168.1.99/32
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: sending 
encrypted notification INVALID_ID_INFORMATION to 213.39.182.221:500
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: Quick Mode I1 
message is unacceptable because it uses a previously used Message ID 
0x87770724 (perhaps this is a duplicated packet)
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: sending 
encrypted notification INVALID_MESSAGE_ID to 213.39.182.221:500
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: Quick Mode I1 
message is unacceptable because it uses a previously used Message ID 
0x87770724 (perhaps this is a duplicated packet)
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: sending 
encrypted notification INVALID_MESSAGE_ID to 213.39.182.221:500
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221 #3: received 
Delete SA payload: deleting ISAKMP State #3
vpnserver pluto[27464]: "w2k-client"[6] 213.39.182.221: deleting 
connection "w2k-client" instance with peer 213.39.182.221
vpnserver pluto[27464]: packet from 213.39.182.221:500: received and 
ignored informational message

>>        leftnexthop=62.210.20.145
>>        leftprotoport=17/0
>>        right=%any
>>        rightrsasigkey=%cert
>>        pfs=no
>>        rightsubnet=192.168.1.99/32
>>        rightprotoport=17/1701
>>        keyingtries=0
>
>
> There is some disagreement on what the server's IP address is.

Well, I think it's my fault in my explanation... ;-)

>
> Also, the XP or W2K client is behind NAT but it seems you are using
> IPsec passthrough and not NAT-Traversal (because you use 17/0). I am
> not sure if Transport Mode (which is required by L2TP over IPsec)
> is supported by IPsec passthrough.
>
> Here are your options:
>
> - Use plain IPsec in Tunnel Mode (with Marcus Mueller's IPSEC.EXE tool)
>   instead of L2TP over IPsec, and continue to use IPsec passthrough.
> - Install the IPsec NAT-T update on the XP/W2K client and enable NAT-T
>   on the server too.

I'd like to use options number 2 ;-) cause I tried Marcus Mueller'S 
ipsec.exe - it didn't do anything!
I've read about NAT-T update (for the clients), but I never found it. Do 
U have a link?
Which option is used to activate NAT-T on the server?

>
> You might also want to set keyingtries to something else than 0,
> because now it will continuously try to set up a connection.

Done. Thanks so far.
Greets Dennis



More information about the Users mailing list