[Openswan Users] cannot respond to IPsec SA request because no connection is known

giovanni.m at agilemovement.it giovanni.m at agilemovement.it
Thu May 27 17:14:02 CEST 2004


Forwarded From: giovanni.m at agilemovement.it

> 
> Thank you Paul!
> 
> I have told sentinel to tunnel only traffic for the remote lan and added     
>    leftsubnet=10.10.15.0/24 to conn %default and conn rw-any-3des-manual.
> 
> I also added
> 
>         virtual_private=%v4:192.168.1.0/24
> 
> to the config setup section and
> 
>         rightsubnet=vhost:%no,%priv
> 
> to conn rw-any-3des-manual
> 
> Now it works perfectly! Thank you.
> 
> Paul Wouters <paul at xelerance.com> said:
> 
> > On Thu, 27 May 2004 giovanni.m at agilemovement.it wrote:
> > 
> > > May 27 15:07:14 roma pluto[22405]: "rw-any-3des-manual"[1]
82.88.XXX.XXX:4500
> > > #1: cannot respond to IPsec SA request because no connection is known for
> > > 0.0.0.0/0===83.103.XXX.XXX:4500[C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=VPN
> > > Cofax Roma, CN=roma_cofax_vpn,
> > > E=administrator at cofax.it]...82.88.XXX.XXX:4500[C=IT, ST=MI, L=Milano,
O=cofax
> > > roaming user, OU=, CN=roaming_user,
> E=administrator at cofax.it]===192.168.1.216/32
> > 
> > Note the 0.0.0.0/0 subnet the client is asking. It is asking to tunnel ALL its
> > traffic to the VPN server.
> > 
> > > conn %default
> > >         #keyingretries=0
> > >         disablearrivalcheck=yes
> > >         authby=rsasig
> > >         keyexchange=ike
> > >         ikelifetime=240m
> > >         keylife=60m
> > >         rekey=yes
> > >         pfs=yes
> > >         compress=no
> > >         left=83.103.XXX.XXX
> > >         leftnexthop=83.103.XXX.XXX
> > >         leftrsasigkey=%cert
> > >         leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=VPN Cofax Roma,
> > > CN=roma_cofax_vpn, Email=administrator at cofax.it"
> > >         leftcert=certs/swanCert.pem
> > >         auto=add
> > 
> > I don't see a matching leftsubnet=0.0.0.0/0
> >  
> > > conn rw-any-3des-manual
> > >         type=tunnel
> > >         right=%any
> > >         rightrsasigkey=%cert
> > >         rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=vpn user,
> > > CN=roaming_user, Email=administrator at cofax.it"
> > >         auto=add
> > 
> > Nor here.
> > 
> > Either tell SSH to stop tunnel everything, or tell your freeswan server it is
> > to accept everything.
> >  
> > You are also using nat_traversal=yes without vhost or subnetwithin statements.
> > I don't think that works as you expect.
> > 
> > Paul
> > 
> > 
> 
> 
> 
> -- 
> 
> 
> 



-- 





More information about the Users mailing list