[Openswan Users] IKE Phase2 fails, cannot respond to IPsec SA

Paul Wouters paul at xelerance.com
Mon Sep 27 17:47:08 CEST 2004

On Mon, 27 Sep 2004 t.henneberger at hcs-computer.de wrote:

> Here is what Pluto is telling me:
> pluto: "roadwarrior"[2] #1: cannot respond to IPsec SA request because no connection is known for[S=C]...[,S=C]
> pluto: state transition function for STATE_QUICK_RO failed: INVALID_ID_INFORMATION

Well yes, this is impossible.

There are two mistakes here:

1) You can't have a left= that is part of leftsubnet=. How could you reach
left without having a connection to the leftsubnet, which requires left,
which requies leftsubnet... Goto 1
Openswan does not have wormhole tunnels yet :)

2) you are trying to connect from an IP range that is part
of the remote leftsubnet, while building a leftsubnet tunnel. Similar
warping of space, goto 1.

> left=
> right=%any
> rightid=%any

rightid=%any? i've never seen that used before.

I am not sure what you were defining here, but this won't work. I'll assume
that you are trying to protect your wireless and want to build a tunnel
the the IPsec server in the same lan, tunneling all your traffic through it.
This would be something like (on the server):


and on the client:


You might want to have a look at the wavesec and "wavesec for windows"
solutions we've configured for that.
wavesec: http://www.wavesec.org
for windows:  ftp://ftp.openswan.org/openswan/windows/wavesec/0.99/


 	"Non cogitamus, ergo nihil sumus"

More information about the Users mailing list