[Openswan Users] IKE Phase2 fails, cannot respond to IPsec SA

Paul Wouters paul at xelerance.com
Mon Sep 27 17:47:08 CEST 2004


On Mon, 27 Sep 2004 t.henneberger at hcs-computer.de wrote:

> Here is what Pluto is telling me:
> pluto: "roadwarrior"[2] 192.168.1.111 #1: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===192.168.1.35[S=C]...192.168.1.111[0.0.0.0,S=C]
> pluto: state transition function for STATE_QUICK_RO failed: INVALID_ID_INFORMATION

Well yes, this is impossible.

There are two mistakes here:

1) You can't have a left= that is part of leftsubnet=. How could you reach
left without having a connection to the leftsubnet, which requires left,
which requies leftsubnet... Goto 1
Openswan does not have wormhole tunnels yet :)

2) you are trying to connect from an IP range 192.168.1.111 that is part
of the remote leftsubnet, while building a leftsubnet tunnel. Similar
warping of space, goto 1.

> left=192.168.1.35
> right=%any
> rightid=%any

rightid=%any? i've never seen that used before.

I am not sure what you were defining here, but this won't work. I'll assume
that you are trying to protect your wireless and want to build a tunnel
the the IPsec server in the same lan, tunneling all your traffic through it.
This would be something like (on the server):

left=192.168.1.35
leftsubnet=0.0.0.0/0
right=%any

and on the client:

left=%defaultroute
right=192.168.1.35
rightsubnet=0.0.0.0/0

You might want to have a look at the wavesec and "wavesec for windows"
solutions we've configured for that.
wavesec: http://www.wavesec.org
for windows:  ftp://ftp.openswan.org/openswan/windows/wavesec/0.99/

Paul

-- 
 	"Non cogitamus, ergo nihil sumus"


More information about the Users mailing list