[Openswan Users] cannot respond to IPsec SA request because no connection is known

Paul Wouters paul at xelerance.com
Thu May 27 18:40:47 CEST 2004


On Thu, 27 May 2004 giovanni.m at agilemovement.it wrote:

> May 27 15:07:14 roma pluto[22405]: "rw-any-3des-manual"[1] 82.88.XXX.XXX:4500
> #1: cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===83.103.XXX.XXX:4500[C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=VPN
> Cofax Roma, CN=roma_cofax_vpn,
> E=administrator at cofax.it]...82.88.XXX.XXX:4500[C=IT, ST=MI, L=Milano, O=cofax
> roaming user, OU=, CN=roaming_user, E=administrator at cofax.it]===192.168.1.216/32

Note the 0.0.0.0/0 subnet the client is asking. It is asking to tunnel ALL its
traffic to the VPN server.

> conn %default
>         #keyingretries=0
>         disablearrivalcheck=yes
>         authby=rsasig
>         keyexchange=ike
>         ikelifetime=240m
>         keylife=60m
>         rekey=yes
>         pfs=yes
>         compress=no
>         left=83.103.XXX.XXX
>         leftnexthop=83.103.XXX.XXX
>         leftrsasigkey=%cert
>         leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=VPN Cofax Roma,
> CN=roma_cofax_vpn, Email=administrator at cofax.it"
>         leftcert=certs/swanCert.pem
>         auto=add

I don't see a matching leftsubnet=0.0.0.0/0
 
> conn rw-any-3des-manual
>         type=tunnel
>         right=%any
>         rightrsasigkey=%cert
>         rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=vpn user,
> CN=roaming_user, Email=administrator at cofax.it"
>         auto=add

Nor here.

Either tell SSH to stop tunnel everything, or tell your freeswan server it is
to accept everything.
 
You are also using nat_traversal=yes without vhost or subnetwithin statements.
I don't think that works as you expect.

Paul



More information about the Users mailing list