[Openswan Users] IKE Phase2 fails, cannot respond to IPsec SA
Paul Wouters
paul at xelerance.com
Mon Sep 27 17:47:08 CEST 2004
On Mon, 27 Sep 2004 t.henneberger at hcs-computer.de wrote:
> Here is what Pluto is telling me:
> pluto: "roadwarrior"[2] 192.168.1.111 #1: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===192.168.1.35[S=C]...192.168.1.111[0.0.0.0,S=C]
> pluto: state transition function for STATE_QUICK_RO failed: INVALID_ID_INFORMATION
Well yes, this is impossible.
There are two mistakes here:
1) You can't have a left= that is part of leftsubnet=. How could you reach
left without having a connection to the leftsubnet, which requires left,
which requies leftsubnet... Goto 1
Openswan does not have wormhole tunnels yet :)
2) you are trying to connect from an IP range 192.168.1.111 that is part
of the remote leftsubnet, while building a leftsubnet tunnel. Similar
warping of space, goto 1.
> left=192.168.1.35
> right=%any
> rightid=%any
rightid=%any? i've never seen that used before.
I am not sure what you were defining here, but this won't work. I'll assume
that you are trying to protect your wireless and want to build a tunnel
the the IPsec server in the same lan, tunneling all your traffic through it.
This would be something like (on the server):
left=192.168.1.35
leftsubnet=0.0.0.0/0
right=%any
and on the client:
left=%defaultroute
right=192.168.1.35
rightsubnet=0.0.0.0/0
You might want to have a look at the wavesec and "wavesec for windows"
solutions we've configured for that.
wavesec: http://www.wavesec.org
for windows: ftp://ftp.openswan.org/openswan/windows/wavesec/0.99/
Paul
--
"Non cogitamus, ergo nihil sumus"
More information about the Users
mailing list