[Openswan Users] no connection is known for...
Juha Pietikäinen
juha.pietikainen at connet.net
Sat May 22 11:02:19 CEST 2004
Hi,
I have similar configuration except my Openswan server is also behind
NAT-router.
I would suggest that you check your configuration from your Openswan server
with "ipsec auto --status" command and compare the results with your secure
log.
Line: "May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
cannot respond to IPsec SA request because no connection is known for
X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
client's DN.. ]:17/1701" should match with output of "ipsec auto --status"
commands line where "L2TP-CERT" is defined.
Maybe you should try to uncomment "rightsubnetwithin=..." and change
right=Y.Y.Y.Y, if Y.Y.Y.Y is static IP-address.
Regards
Juha Pietikäinen
----- Original Message -----
From: "Mark Frost" <mfrost at westnet.com>
To: <users at lists.openswan.org>
Sent: Friday, May 21, 2004 11:11 PM
Subject: [Openswan Users] no connection is known for...
>
> I'm stuck. I've got the following situation:
>
>
> 192.168.1.101 (WinXP client)
> |
> Linksys cable router (doing NAT)
> || (Y.Y.Y.Y)
> ||
> || (Internet)
> ||
> || (X.X.X.X)
> Openswan gateway
> |
> |
> NAT'd network (ultimate destination)
>
>
> In other words, I'm going from a WinXP client on a NAT'd network, across
the Internet,
> then into another NAT'd network on the other side of the Openswan gateway.
It is my understanding
> that the only way to possibly accomplish this is to do the combination of
L2TP+IPsec which is what
> I'm working on. I'm just at the first phase of getting the IPsec part to
work (i.e. the
> tunnel just to the gateway).
>
> I'm getting the following messages in /var/log/secure when I "dial out"
from the WinXP client:
>
> ---------
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [FRAGMENTATION]
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [26244d38eddb61b3...]
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: responding
to Main Mode from unknown peer Y.Y.Y.Y
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
from state (null) to state STATE_MAIN_R1
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID is
ID_DER_ASN1_DN: 'C=US, ST=NY, L=South Salem, O=Mark Frost, CN=mfrost99'
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
> May 21 15:43:38 outpost pluto[3925]: | NAT-T: new mapping
Y.Y.Y.Y:500/4500)
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: sent
MR3, ISAKMP SA established
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
cannot respond to IPsec SA request because no connection is known for
X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
client's DN.. ]:17/1701
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0xd4887469 (perhaps this is a duplicated packet)
> May 21 15:44:08 outpost last message repeated 4 times
> May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
received Delete SA payload: deleting ISAKMP State #1
> May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500: deleting
connection "L2TP-CERT" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0
> ---------
>
> Note that X.X.X.X is the Openswan gateway's external (public) IP address
and Y.Y.Y.Y is the
> public address on the Linksys box.
>
> Here's my /etc/ipsec.conf file:
>
> --------
> version 2.0
>
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
> klipsdebug=none
> plutodebug=none
> uniqueids=yes
>
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn L2TP-CERT
> #
> # Use a certificate. Disable Perfect Forward Secrecy.
> #
> authby=rsasig
> pfs=no
> left=X.X.X.X
> leftnexthop=%defaultroute
> leftrsasigkey=%cert
> leftcert=/etc/ipsec.d/certs/openswan_gw.pem
> leftsendcert=always
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> rightrsasigkey=%cert
> rightcert=/etc/ipsec.d/certs/winxp_client.pem
> rightsubnetwithin=192.168.1.0/24
> rightprotoport=17/1701
> #
> # Authorize this connection, and wait for connection from user.
> #
> auto=add
> keyingtries=3
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> --------
>
>
> - I am running Openswan 2.1.2.
> - I have installed the XP NAT-T patch (Q818043) on the WinXP client.
> - Using X.509 certificates
> - When "dialing out" from the WinXP box, the errors are generated on the
Openswan side,
> but the XP client just times out.
>
> I've been working on this for a very long time and am hopeful I can get
this working someday.
> Any help would be greatly appreciated.
>
> Thanks
>
> Mark
>
> <>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list