[Openswan Users] no connection is known for...
Mark Frost
mfrost at westnet.com
Sat May 22 14:24:09 CEST 2004
Juha,
I'm not entirely sure what I'm looking for, but here's the output of
ipsec auto --status:
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 X.X.X.X
000 interface eth0/eth0 X.X.X.X
000 %myid = (none)
000 debug none
000
000 "L2TP-CERT": X.X.X.X[ ..OpenSwan_GW_DN..
,S=C]:17/1701---Z.Z.Z.Z...%any[ ..WinXP_Client_DN..
]:17/1701==={192.168.1.0/24}; unrouted; eroute owner: #0
000 "L2TP-CERT": CAs: ' .. OpenSwan_GW_DN.. '...' ..OpenSwan_GW_DN.. '
000 "L2TP-CERT": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-CERT": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,24;
interface: eth0;
000 "L2TP-CERT": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
X.X.X.X = public address of OpenSwan gateway
Y.Y.Y.Y = public address of Linksys router (WinXP client's gw to the
Internet)
Z.Z.Z.Z = default route for OpenSwan gateway
I tried changing my ipsec.conf and commented out the
rightsubnetwithin=192.168.1.0/24 line and either leaving right=%any or
setting right=Y.Y.Y.Y, I get the following in /var/log/secure:
May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [FRAGMENTATION]
May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring
Vendor ID payload [26244d38eddb61b3...]
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
responding to Main Mode from unknown peer Y.Y.Y.Y
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only
OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
OAKLEY_GROUP_DESCRIPTION
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
transition from state (null) to state STATE_MAIN_R1
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID
is ID_DER_ASN1_DN: ' ..WinXP_Client_DN.. '
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 22 13:17:14 outpost pluto[9243]: | NAT-T: new mapping Y.Y.Y.Y:500/4500)
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
sent MR3, ISAKMP SA established
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
responding to Quick Mode
May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
transition from state (null) to state STATE_QUICK_R1
May 22 13:17:15 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 22 13:17:15 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
IPsec SA established {ESP=>0xa31cf2e8 <0x6bdc84d3}
[ never get any acknowledgement on the XP side. Eventually it times out
and asks to redial which causes the following in the logs ]
May 22 13:17:50 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
received Delete SA(0xa31cf2e8) payload: deleting IPSEC State #2
Thanks
Mark
Juha Pietikäinen wrote:
>Hi,
>
>I have similar configuration except my Openswan server is also behind
>NAT-router.
>
>I would suggest that you check your configuration from your Openswan server
>with "ipsec auto --status" command and compare the results with your secure
>log.
>
>Line: "May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
>cannot respond to IPsec SA request because no connection is known for
>X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
>client's DN.. ]:17/1701" should match with output of "ipsec auto --status"
>commands line where "L2TP-CERT" is defined.
>
>Maybe you should try to uncomment "rightsubnetwithin=..." and change
>right=Y.Y.Y.Y, if Y.Y.Y.Y is static IP-address.
>
>
>Regards
>
>Juha Pietikäinen
>
>----- Original Message -----
>From: "Mark Frost" <mfrost at westnet.com>
>To: <users at lists.openswan.org>
>Sent: Friday, May 21, 2004 11:11 PM
>Subject: [Openswan Users] no connection is known for...
>
>
>
>
>>I'm stuck. I've got the following situation:
>>
>>
>>192.168.1.101 (WinXP client)
>> |
>>Linksys cable router (doing NAT)
>> || (Y.Y.Y.Y)
>> ||
>> || (Internet)
>> ||
>> || (X.X.X.X)
>>Openswan gateway
>> |
>> |
>>NAT'd network (ultimate destination)
>>
>>
>>In other words, I'm going from a WinXP client on a NAT'd network, across
>>
>>
>the Internet,
>
>
>>then into another NAT'd network on the other side of the Openswan gateway.
>>
>>
>It is my understanding
>
>
>>that the only way to possibly accomplish this is to do the combination of
>>
>>
>L2TP+IPsec which is what
>
>
>>I'm working on. I'm just at the first phase of getting the IPsec part to
>>
>>
>work (i.e. the
>
>
>>tunnel just to the gateway).
>>
>>I'm getting the following messages in /var/log/secure when I "dial out"
>>
>>
>from the WinXP client:
>
>
>>---------
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
>>
>>
>Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>
>
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
>>
>>
>Vendor ID payload [FRAGMENTATION]
>
>
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: received
>>
>>
>Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>
>
>>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
>>
>>
>Vendor ID payload [26244d38eddb61b3...]
>
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: responding
>>
>>
>to Main Mode from unknown peer Y.Y.Y.Y
>
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only
>>
>>
>OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. Attribute
>OAKLEY_GROUP_DESCRIPTION
>
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
>>
>>
>from state (null) to state STATE_MAIN_R1
>
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
>>
>>
>NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
>
>
>>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
>>
>>
>from state STATE_MAIN_R1 to state STATE_MAIN_R2
>
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID is
>>
>>
>ID_DER_ASN1_DN: 'C=US, ST=NY, L=South Salem, O=Mark Frost, CN=mfrost99'
>
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: transition
>>
>>
>from state STATE_MAIN_R2 to state STATE_MAIN_R3
>
>
>>May 21 15:43:38 outpost pluto[3925]: | NAT-T: new mapping
>>
>>
>Y.Y.Y.Y:500/4500)
>
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: sent
>>
>>
>MR3, ISAKMP SA established
>
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
>>
>>
>cannot respond to IPsec SA request because no connection is known for
>X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
>client's DN.. ]:17/1701
>
>
>>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1: Quick
>>
>>
>Mode I1 message is unacceptable because it uses a previously used Message ID
>0xd4887469 (perhaps this is a duplicated packet)
>
>
>>May 21 15:44:08 outpost last message repeated 4 times
>>May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
>>
>>
>received Delete SA payload: deleting ISAKMP State #1
>
>
>>May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500: deleting
>>
>>
>connection "L2TP-CERT" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0
>
>
>>---------
>>
>>Note that X.X.X.X is the Openswan gateway's external (public) IP address
>>
>>
>and Y.Y.Y.Y is the
>
>
>>public address on the Linksys box.
>>
>>Here's my /etc/ipsec.conf file:
>>
>>--------
>>version 2.0
>>
>>config setup
>> interfaces=%defaultroute
>> nat_traversal=yes
>> klipsdebug=none
>> plutodebug=none
>> uniqueids=yes
>>
>>conn %default
>> keyingtries=1
>> compress=yes
>> disablearrivalcheck=no
>> authby=rsasig
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>>
>>conn L2TP-CERT
>> #
>> # Use a certificate. Disable Perfect Forward Secrecy.
>> #
>> authby=rsasig
>> pfs=no
>> left=X.X.X.X
>> leftnexthop=%defaultroute
>> leftrsasigkey=%cert
>> leftcert=/etc/ipsec.d/certs/openswan_gw.pem
>> leftsendcert=always
>> leftprotoport=17/1701
>> #
>> # The remote user.
>> #
>> right=%any
>> rightrsasigkey=%cert
>> rightcert=/etc/ipsec.d/certs/winxp_client.pem
>> rightsubnetwithin=192.168.1.0/24
>> rightprotoport=17/1701
>> #
>> # Authorize this connection, and wait for connection from user.
>> #
>> auto=add
>> keyingtries=3
>>
>>#Disable Opportunistic Encryption
>>include /etc/ipsec.d/examples/no_oe.conf
>>--------
>>
>>
>>- I am running Openswan 2.1.2.
>>- I have installed the XP NAT-T patch (Q818043) on the WinXP client.
>>- Using X.509 certificates
>>- When "dialing out" from the WinXP box, the errors are generated on the
>>
>>
>Openswan side,
>
>
>> but the XP client just times out.
>>
>>I've been working on this for a very long time and am hopeful I can get
>>
>>
>this working someday.
>
>
>>Any help would be greatly appreciated.
>>
>>Thanks
>>
>>Mark
>>
>><>
>>_______________________________________________
>>Users mailing list
>>Users at lists.openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>>
>>
More information about the Users
mailing list