[Openswan Users] cannot respond to IPsec SA request because no
connection is known
giovanni.m at agilemovement.it
giovanni.m at agilemovement.it
Thu May 27 17:14:02 CEST 2004
Forwarded From: giovanni.m at agilemovement.it
>
> Thank you Paul!
>
> I have told sentinel to tunnel only traffic for the remote lan and added
> leftsubnet=10.10.15.0/24 to conn %default and conn rw-any-3des-manual.
>
> I also added
>
> virtual_private=%v4:192.168.1.0/24
>
> to the config setup section and
>
> rightsubnet=vhost:%no,%priv
>
> to conn rw-any-3des-manual
>
> Now it works perfectly! Thank you.
>
> Paul Wouters <paul at xelerance.com> said:
>
> > On Thu, 27 May 2004 giovanni.m at agilemovement.it wrote:
> >
> > > May 27 15:07:14 roma pluto[22405]: "rw-any-3des-manual"[1]
82.88.XXX.XXX:4500
> > > #1: cannot respond to IPsec SA request because no connection is known for
> > > 0.0.0.0/0===83.103.XXX.XXX:4500[C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=VPN
> > > Cofax Roma, CN=roma_cofax_vpn,
> > > E=administrator at cofax.it]...82.88.XXX.XXX:4500[C=IT, ST=MI, L=Milano,
O=cofax
> > > roaming user, OU=, CN=roaming_user,
> E=administrator at cofax.it]===192.168.1.216/32
> >
> > Note the 0.0.0.0/0 subnet the client is asking. It is asking to tunnel ALL its
> > traffic to the VPN server.
> >
> > > conn %default
> > > #keyingretries=0
> > > disablearrivalcheck=yes
> > > authby=rsasig
> > > keyexchange=ike
> > > ikelifetime=240m
> > > keylife=60m
> > > rekey=yes
> > > pfs=yes
> > > compress=no
> > > left=83.103.XXX.XXX
> > > leftnexthop=83.103.XXX.XXX
> > > leftrsasigkey=%cert
> > > leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=VPN Cofax Roma,
> > > CN=roma_cofax_vpn, Email=administrator at cofax.it"
> > > leftcert=certs/swanCert.pem
> > > auto=add
> >
> > I don't see a matching leftsubnet=0.0.0.0/0
> >
> > > conn rw-any-3des-manual
> > > type=tunnel
> > > right=%any
> > > rightrsasigkey=%cert
> > > rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=vpn user,
> > > CN=roaming_user, Email=administrator at cofax.it"
> > > auto=add
> >
> > Nor here.
> >
> > Either tell SSH to stop tunnel everything, or tell your freeswan server it is
> > to accept everything.
> >
> > You are also using nat_traversal=yes without vhost or subnetwithin statements.
> > I don't think that works as you expect.
> >
> > Paul
> >
> >
>
>
>
> --
>
>
>
--
More information about the Users
mailing list