[Openswan Users] no connection is known for...

Mark Frost mfrost at westnet.com
Sat May 22 14:24:09 CEST 2004


Juha,

I'm not entirely sure what I'm looking for, but here's the output of 
ipsec auto --status:

000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 X.X.X.X
000 interface eth0/eth0 X.X.X.X
000 %myid = (none)
000 debug none
000
000 "L2TP-CERT": X.X.X.X[ ..OpenSwan_GW_DN.. 
,S=C]:17/1701---Z.Z.Z.Z...%any[ ..WinXP_Client_DN.. 
]:17/1701==={192.168.1.0/24}; unrouted; eroute owner: #0
000 "L2TP-CERT":   CAs: ' .. OpenSwan_GW_DN.. '...' ..OpenSwan_GW_DN.. '
000 "L2TP-CERT":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-CERT":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,24; 
interface: eth0;
000 "L2TP-CERT":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

X.X.X.X = public address of OpenSwan gateway
Y.Y.Y.Y = public address of Linksys router (WinXP client's gw to the 
Internet)
Z.Z.Z.Z = default route for OpenSwan gateway


I tried changing my ipsec.conf and commented out the 
rightsubnetwithin=192.168.1.0/24 line and either leaving right=%any or 
setting right=Y.Y.Y.Y, I get the following in /var/log/secure:

May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring 
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring 
Vendor ID payload [FRAGMENTATION]
May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring 
Vendor ID payload [26244d38eddb61b3...]
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: 
responding to Main Mode from unknown peer Y.Y.Y.Y
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only 
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: 
transition from state (null) to state STATE_MAIN_R1
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID 
is ID_DER_ASN1_DN: ' ..WinXP_Client_DN.. '
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 22 13:17:14 outpost pluto[9243]: | NAT-T: new mapping Y.Y.Y.Y:500/4500)
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: 
sent MR3, ISAKMP SA established
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2: 
responding to Quick Mode
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2: 
transition from state (null) to state STATE_QUICK_R1
May 22 13:17:15 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 22 13:17:15 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2: 
IPsec SA established {ESP=>0xa31cf2e8 <0x6bdc84d3}

[ never get any acknowledgement on the XP side.  Eventually it times out 
and asks to redial which causes the following in the logs ]

May 22 13:17:50 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: 
received Delete SA(0xa31cf2e8) payload: deleting IPSEC State #2



Thanks

Mark

Juha Pietikäinen wrote:

>Hi,
>
>I have similar configuration except my Openswan server is also behind
>NAT-router.
>
>I would suggest that you check your configuration from your Openswan server
>with "ipsec auto --status" command and compare the results with your secure
>log.
>
>Line: "May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
>cannot respond to IPsec SA request because no connection is known for
>X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
>client's DN.. ]:17/1701" should match with output of  "ipsec auto --status"
>commands line where "L2TP-CERT" is defined.
>
>Maybe you should try to uncomment "rightsubnetwithin=..." and change
>right=Y.Y.Y.Y, if Y.Y.Y.Y is static IP-address.
>
>
>Regards
>
>Juha Pietikäinen
>
>----- Original Message ----- 
>From: "Mark Frost" <mfrost at westnet.com>
>To: <users at lists.openswan.org>
>Sent: Friday, May 21, 2004 11:11 PM
>Subject: [Openswan Users] no connection is known for...
>
>
>  
>
>>I'm stuck.  I've got the following situation:
>>
>>
>>192.168.1.101 (WinXP client)
>>      |
>>Linksys cable router (doing NAT)
>>      || (Y.Y.Y.Y)
>>      ||
>>      || (Internet)
>>      ||
>>      || (X.X.X.X)
>>Openswan gateway
>>      |
>>      |
>>NAT'd network (ultimate destination)
>>
>>
>>In other words, I'm going from a WinXP client on a NAT'd network, across
>>    
>>
>the Internet,
>  
>
>>then into another NAT'd network on the other side of the Openswan gateway.
>>    
>>
>It is my understanding
>  
>
>>that the only way to possibly accomplish this is to do the combination of
>>    
>>
>L2TP+IPsec which is what
>  
>
>>I'm working on.  I'm just at the first phase of getting the IPsec part to
>>    
>>
>work (i.e. the
>  
>
>>tunnel just to the gateway).
>>
>>I'm getting the following messages in /var/log/secure when I "dial out"
>>    
>>
>from the WinXP client:
>  
>
>>---------
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
>>    
>>
>Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>  
>
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
>>    
>>
>Vendor ID payload [FRAGMENTATION]
>  
>
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: received
>>    
>>
>Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>  
>
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
>>    
>>
>Vendor ID payload [26244d38eddb61b3...]
>  
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: responding
>>    
>>
>to Main Mode from unknown peer Y.Y.Y.Y
>  
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only
>>    
>>
>OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
>OAKLEY_GROUP_DESCRIPTION
>  
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
>>    
>>
>from state (null) to state STATE_MAIN_R1
>  
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
>>    
>>
>NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
>  
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
>>    
>>
>from state STATE_MAIN_R1 to state STATE_MAIN_R2
>  
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID is
>>    
>>
>ID_DER_ASN1_DN: 'C=US, ST=NY, L=South Salem, O=Mark Frost, CN=mfrost99'
>  
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
>>    
>>
>from state STATE_MAIN_R2 to state STATE_MAIN_R3
>  
>
>>May 21 15:43:38 outpost pluto[3925]: | NAT-T: new mapping
>>    
>>
>Y.Y.Y.Y:500/4500)
>  
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: sent
>>    
>>
>MR3, ISAKMP SA established
>  
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
>>    
>>
>cannot respond to IPsec SA request because no connection is known for
>X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
>client's DN.. ]:17/1701
>  
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: Quick
>>    
>>
>Mode I1 message is unacceptable because it uses a previously used Message ID
>0xd4887469 (perhaps this is a duplicated packet)
>  
>
>>May 21 15:44:08 outpost last message repeated 4 times
>>May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
>>    
>>
>received Delete SA payload: deleting ISAKMP State #1
>  
>
>>May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500: deleting
>>    
>>
>connection "L2TP-CERT" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0
>  
>
>>---------
>>
>>Note that X.X.X.X is the Openswan gateway's external (public) IP address
>>    
>>
>and Y.Y.Y.Y is the
>  
>
>>public address on the Linksys box.
>>
>>Here's my /etc/ipsec.conf file:
>>
>>--------
>>version 2.0
>>
>>config setup
>>    interfaces=%defaultroute
>>    nat_traversal=yes
>>    klipsdebug=none
>>    plutodebug=none
>>    uniqueids=yes
>>
>>conn %default
>>    keyingtries=1
>>    compress=yes
>>    disablearrivalcheck=no
>>    authby=rsasig
>>    leftrsasigkey=%cert
>>    rightrsasigkey=%cert
>>
>>conn L2TP-CERT
>>    #
>>    # Use a certificate. Disable Perfect Forward Secrecy.
>>    #
>>    authby=rsasig
>>    pfs=no
>>    left=X.X.X.X
>>    leftnexthop=%defaultroute
>>    leftrsasigkey=%cert
>>    leftcert=/etc/ipsec.d/certs/openswan_gw.pem
>>    leftsendcert=always
>>    leftprotoport=17/1701
>>    #
>>    # The remote user.
>>    #
>>    right=%any
>>    rightrsasigkey=%cert
>>    rightcert=/etc/ipsec.d/certs/winxp_client.pem
>>    rightsubnetwithin=192.168.1.0/24
>>    rightprotoport=17/1701
>>    #
>>    # Authorize this connection, and wait for connection from user.
>>    #
>>    auto=add
>>    keyingtries=3
>>
>>#Disable Opportunistic Encryption
>>include /etc/ipsec.d/examples/no_oe.conf
>>--------
>>
>>
>>- I am running Openswan 2.1.2.
>>- I have installed the XP NAT-T patch (Q818043) on the WinXP client.
>>- Using X.509 certificates
>>- When "dialing out" from the WinXP box, the errors are generated on the
>>    
>>
>Openswan side,
>  
>
>>  but the XP client just times out.
>>
>>I've been working on this for a very long time and am hopeful I can get
>>    
>>
>this working someday.
>  
>
>>Any help would be greatly appreciated.
>>
>>Thanks
>>
>>Mark
>>
>><>
>>_______________________________________________
>>Users mailing list
>>Users at lists.openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>    
>>


More information about the Users mailing list