[Openswan Users] no connection is known for...

Juha Pietikäinen juha.pietikainen at connet.net
Sat May 22 22:52:44 CEST 2004


Hi,

according your secure log an IPsec connection is now established. I guess
that you might have some kind of problem with upper layer protocols (UDP or
L2TP).

Have you tried to capture network traffic with Ethereal or tcpdump from your
linux server?

Is there any L2TP traffic between your remote Windows XP host and your Linux
server?

It seems to be that my own ADSL-router doesn't support directly ESP
transport mode, which is needed by Windows XP:s L2TP/IPsec client (My
previous messages handles this issue).  I am waiting for new firmware and I
hope that it will fix the problem with my router.

It may be that you might also have problems with your ADSL-router. I have
incorrect checksum errors with incoming UDP packets which contain L2TP
packets inside. Packets are rejected due to checksum errors generated in
ADSL-router.

I have managed to get L2TP/IPsec connection working only in LAN-environment.


Juha Pietikäinen

----- Original Message ----- 
From: "Mark Frost" <mfrost at westnet.com>
To: "Juha Pietikäinen" <juha.pietikainen at connet.net>
Cc: <users at lists.openswan.org>
Sent: Saturday, May 22, 2004 8:24 PM
Subject: Re: [Openswan Users] no connection is known for...


> Juha,
>
> I'm not entirely sure what I'm looking for, but here's the output of
> ipsec auto --status:
>
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 X.X.X.X
> 000 interface eth0/eth0 X.X.X.X
> 000 %myid = (none)
> 000 debug none
> 000
> 000 "L2TP-CERT": X.X.X.X[ ..OpenSwan_GW_DN..
> ,S=C]:17/1701---Z.Z.Z.Z...%any[ ..WinXP_Client_DN..
> ]:17/1701==={192.168.1.0/24}; unrouted; eroute owner: #0
> 000 "L2TP-CERT":   CAs: ' .. OpenSwan_GW_DN.. '...' ..OpenSwan_GW_DN.. '
> 000 "L2TP-CERT":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP-CERT":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; prio: 32,24;
> interface: eth0;
> 000 "L2TP-CERT":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000
>
> X.X.X.X = public address of OpenSwan gateway
> Y.Y.Y.Y = public address of Linksys router (WinXP client's gw to the
> Internet)
> Z.Z.Z.Z = default route for OpenSwan gateway
>
>
> I tried changing my ipsec.conf and commented out the
> rightsubnetwithin=192.168.1.0/24 line and either leaving right=%any or
> setting right=Y.Y.Y.Y, I get the following in /var/log/secure:
>
> May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring
> Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring
> Vendor ID payload [FRAGMENTATION]
> May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> May 22 13:17:14 outpost pluto[9243]: packet from Y.Y.Y.Y:500: ignoring
> Vendor ID payload [26244d38eddb61b3...]
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
> responding to Main Mode from unknown peer Y.Y.Y.Y
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only
> OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
> OAKLEY_GROUP_DESCRIPTION
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
> transition from state (null) to state STATE_MAIN_R1
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID
> is ID_DER_ASN1_DN: ' ..WinXP_Client_DN.. '
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> May 22 13:17:14 outpost pluto[9243]: | NAT-T: new mapping
Y.Y.Y.Y:500/4500)
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
> sent MR3, ISAKMP SA established
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
> responding to Quick Mode
> May 22 13:17:14 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
> transition from state (null) to state STATE_QUICK_R1
> May 22 13:17:15 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> May 22 13:17:15 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #2:
> IPsec SA established {ESP=>0xa31cf2e8 <0x6bdc84d3}
>
> [ never get any acknowledgement on the XP side.  Eventually it times out
> and asks to redial which causes the following in the logs ]
>
> May 22 13:17:50 outpost pluto[9243]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
> received Delete SA(0xa31cf2e8) payload: deleting IPSEC State #2
>
>
>
> Thanks
>
> Mark
>
> Juha Pietikäinen wrote:
>
> >Hi,
> >
> >I have similar configuration except my Openswan server is also behind
> >NAT-router.
> >
> >I would suggest that you check your configuration from your Openswan
server
> >with "ipsec auto --status" command and compare the results with your
secure
> >log.
> >
> >Line: "May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500
#1:
> >cannot respond to IPsec SA request because no connection is known for
> >X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
> >client's DN.. ]:17/1701" should match with output of  "ipsec
auto --status"
> >commands line where "L2TP-CERT" is defined.
> >
> >Maybe you should try to uncomment "rightsubnetwithin=..." and change
> >right=Y.Y.Y.Y, if Y.Y.Y.Y is static IP-address.
> >
> >
> >Regards
> >
> >Juha Pietikäinen
> >
> >----- Original Message ----- 
> >From: "Mark Frost" <mfrost at westnet.com>
> >To: <users at lists.openswan.org>
> >Sent: Friday, May 21, 2004 11:11 PM
> >Subject: [Openswan Users] no connection is known for...
> >
> >
> >
> >
> >>I'm stuck.  I've got the following situation:
> >>
> >>
> >>192.168.1.101 (WinXP client)
> >>      |
> >>Linksys cable router (doing NAT)
> >>      || (Y.Y.Y.Y)
> >>      ||
> >>      || (Internet)
> >>      ||
> >>      || (X.X.X.X)
> >>Openswan gateway
> >>      |
> >>      |
> >>NAT'd network (ultimate destination)
> >>
> >>
> >>In other words, I'm going from a WinXP client on a NAT'd network, across
> >>
> >>
> >the Internet,
> >
> >
> >>then into another NAT'd network on the other side of the Openswan
gateway.
> >>
> >>
> >It is my understanding
> >
> >
> >>that the only way to possibly accomplish this is to do the combination
of
> >>
> >>
> >L2TP+IPsec which is what
> >
> >
> >>I'm working on.  I'm just at the first phase of getting the IPsec part
to
> >>
> >>
> >work (i.e. the
> >
> >
> >>tunnel just to the gateway).
> >>
> >>I'm getting the following messages in /var/log/secure when I "dial out"
> >>
> >>
> >from the WinXP client:
> >
> >
> >>---------
> >>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
> >>
> >>
> >Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
> >>
> >>
> >Vendor ID payload [FRAGMENTATION]
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: received
> >>
> >>
> >Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: packet from Y.Y.Y.Y:500: ignoring
> >>
> >>
> >Vendor ID payload [26244d38eddb61b3...]
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
responding
> >>
> >>
> >to Main Mode from unknown peer Y.Y.Y.Y
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: only
> >>
> >>
> >OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
> >OAKLEY_GROUP_DESCRIPTION
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
transition
> >>
> >>
> >from state (null) to state STATE_MAIN_R1
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
> >>
> >>
> >NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is
NATed
> >
> >
> >>May 21 15:43:37 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
transition
> >>
> >>
> >from state STATE_MAIN_R1 to state STATE_MAIN_R2
> >
> >
> >>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1: Peer ID
is
> >>
> >>
> >ID_DER_ASN1_DN: 'C=US, ST=NY, L=South Salem, O=Mark Frost, CN=mfrost99'
> >
> >
> >>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y #1:
transition
> >>
> >>
> >from state STATE_MAIN_R2 to state STATE_MAIN_R3
> >
> >
> >>May 21 15:43:38 outpost pluto[3925]: | NAT-T: new mapping
> >>
> >>
> >Y.Y.Y.Y:500/4500)
> >
> >
> >>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
sent
> >>
> >>
> >MR3, ISAKMP SA established
> >
> >
> >>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
> >>
> >>
> >cannot respond to IPsec SA request because no connection is known for
> >X.X.X.X:4500[ ..Openswan GW's DN.. ]:17/1701...Y.Y.Y.Y:4500[ ..WinXP
> >client's DN.. ]:17/1701
> >
> >
> >>May 21 15:43:38 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
Quick
> >>
> >>
> >Mode I1 message is unacceptable because it uses a previously used Message
ID
> >0xd4887469 (perhaps this is a duplicated packet)
> >
> >
> >>May 21 15:44:08 outpost last message repeated 4 times
> >>May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500 #1:
> >>
> >>
> >received Delete SA payload: deleting ISAKMP State #1
> >
> >
> >>May 21 15:44:40 outpost pluto[3925]: "L2TP-CERT"[1] Y.Y.Y.Y:4500:
deleting
> >>
> >>
> >connection "L2TP-CERT" instance with peer Y.Y.Y.Y {isakmp=#0/ipsec=#0
> >
> >
> >>---------
> >>
> >>Note that X.X.X.X is the Openswan gateway's external (public) IP address
> >>
> >>
> >and Y.Y.Y.Y is the
> >
> >
> >>public address on the Linksys box.
> >>
> >>Here's my /etc/ipsec.conf file:
> >>
> >>--------
> >>version 2.0
> >>
> >>config setup
> >>    interfaces=%defaultroute
> >>    nat_traversal=yes
> >>    klipsdebug=none
> >>    plutodebug=none
> >>    uniqueids=yes
> >>
> >>conn %default
> >>    keyingtries=1
> >>    compress=yes
> >>    disablearrivalcheck=no
> >>    authby=rsasig
> >>    leftrsasigkey=%cert
> >>    rightrsasigkey=%cert
> >>
> >>conn L2TP-CERT
> >>    #
> >>    # Use a certificate. Disable Perfect Forward Secrecy.
> >>    #
> >>    authby=rsasig
> >>    pfs=no
> >>    left=X.X.X.X
> >>    leftnexthop=%defaultroute
> >>    leftrsasigkey=%cert
> >>    leftcert=/etc/ipsec.d/certs/openswan_gw.pem
> >>    leftsendcert=always
> >>    leftprotoport=17/1701
> >>    #
> >>    # The remote user.
> >>    #
> >>    right=%any
> >>    rightrsasigkey=%cert
> >>    rightcert=/etc/ipsec.d/certs/winxp_client.pem
> >>    rightsubnetwithin=192.168.1.0/24
> >>    rightprotoport=17/1701
> >>    #
> >>    # Authorize this connection, and wait for connection from user.
> >>    #
> >>    auto=add
> >>    keyingtries=3
> >>
> >>#Disable Opportunistic Encryption
> >>include /etc/ipsec.d/examples/no_oe.conf
> >>--------
> >>
> >>
> >>- I am running Openswan 2.1.2.
> >>- I have installed the XP NAT-T patch (Q818043) on the WinXP client.
> >>- Using X.509 certificates
> >>- When "dialing out" from the WinXP box, the errors are generated on the
> >>
> >>
> >Openswan side,
> >
> >
> >>  but the XP client just times out.
> >>
> >>I've been working on this for a very long time and am hopeful I can get
> >>
> >>
> >this working someday.
> >
> >
> >>Any help would be greatly appreciated.
> >>
> >>Thanks
> >>
> >>Mark
> >>
> >><>
> >>_______________________________________________
> >>Users mailing list
> >>Users at lists.openswan.org
> >>http://lists.openswan.org/mailman/listinfo/users
> >>
> >>



More information about the Users mailing list