[Openswan Users] no connection is known for...

Juha Pietikäinen juha.pietikainen at connet.net
Sat May 22 11:02:19 CEST 2004 

Hi,

I have similar configuration except my Openswan server is also behind
NAT-router.

I would suggest that you check your configuration from your Openswan server
with "ipsec auto --status" command and compare the results with your secure
log.

Line: "May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
cannot respond to IPsec SA request because no connection is known for
X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
client's DN.. ]:17/1701" should match with output of  "ipsec auto --status"
commands line where "L2TP-CERT" is defined.

Maybe you should try to uncomment "rightsubnetwithin=..." and change
right=Y.Y.Y.Y, if Y.Y.Y.Y is static IP-address.


Regards

Juha Pietikäinen

----- Original Message ----- 
From: "Mark Frost" <mfrost at westnet.com>
To: <users at lists.openswan.org>
Sent: Friday, May 21, 2004 11:11 PM
Subject: [Openswan Users] no connection is known for...


>
> I'm stuck.  I've got the following situation:
>
>
> 192.168.1.101 (WinXP client)
>       |
> Linksys cable router (doing NAT)
>       || (Y.Y.Y.Y)
>       ||
>       || (Internet)
>       ||
>       || (X.X.X.X)
> Openswan gateway
>       |
>       |
> NAT'd network (ultimate destination)
>
>
> In other words, I'm going from a WinXP client on a NAT'd network, across
the Internet,
> then into another NAT'd network on the other side of the Openswan gateway.
It is my understanding
> that the only way to possibly accomplish this is to do the combination of
L2TP+IPsec which is what
> I'm working on.  I'm just at the first phase of getting the IPsec part to
work (i.e. the
> tunnel just to the gateway).
>
> I'm getting the following messages in /var/log/secure when I "dial out"
from the WinXP client:
>
> ---------
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [FRAGMENTATION]
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [26244d38eddb61b3...]
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: responding
to Main Mode from unknown peer Y.Y.Y.Y
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
from state (null) to state STATE_MAIN_R1
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
> May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID is
ID_DER_ASN1_DN: 'C=US, ST=NY, L=South Salem, O=Mark Frost, CN=mfrost99'
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
> May 21 15:43:38 outpost pluto[3925]: | NAT-T: new mapping
Y.Y.Y.Y:500/4500)
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: sent
MR3, ISAKMP SA established
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
cannot respond to IPsec SA request because no connection is known for
X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
client's DN.. ]:17/1701
> May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0xd4887469 (perhaps this is a duplicated packet)
> May 21 15:44:08 outpost last message repeated 4 times
> May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
received Delete SA payload: deleting ISAKMP State #1
> May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500: deleting
connection "L2TP-CERT" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0
> ---------
>
> Note that X.X.X.X is the Openswan gateway's external (public) IP address
and Y.Y.Y.Y is the
> public address on the Linksys box.
>
> Here's my /etc/ipsec.conf file:
>
> --------
> version 2.0
>
> config setup
>     interfaces=%defaultroute
>     nat_traversal=yes
>     klipsdebug=none
>     plutodebug=none
>     uniqueids=yes
>
> conn %default
>     keyingtries=1
>     compress=yes
>     disablearrivalcheck=no
>     authby=rsasig
>     leftrsasigkey=%cert
>     rightrsasigkey=%cert
>
> conn L2TP-CERT
>     #
>     # Use a certificate. Disable Perfect Forward Secrecy.
>     #
>     authby=rsasig
>     pfs=no
>     left=X.X.X.X
>     leftnexthop=%defaultroute
>     leftrsasigkey=%cert
>     leftcert=/etc/ipsec.d/certs/openswan_gw.pem
>     leftsendcert=always
>     leftprotoport=17/1701
>     #
>     # The remote user.
>     #
>     right=%any
>     rightrsasigkey=%cert
>     rightcert=/etc/ipsec.d/certs/winxp_client.pem
>     rightsubnetwithin=192.168.1.0/24
>     rightprotoport=17/1701
>     #
>     # Authorize this connection, and wait for connection from user.
>     #
>     auto=add
>     keyingtries=3
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> --------
>
>
> - I am running Openswan 2.1.2.
> - I have installed the XP NAT-T patch (Q818043) on the WinXP client.
> - Using X.509 certificates
> - When "dialing out" from the WinXP box, the errors are generated on the
Openswan side,
>   but the XP client just times out.
>
> I've been working on this for a very long time and am hopeful I can get
this working someday.
> Any help would be greatly appreciated.
>
> Thanks
>
> Mark
>
> <>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list