[Openswan Users] ISAKMP SA versus IPSEC SA

Andy fs at globalnetit.com
Thu Dec 8 16:14:50 CET 2005

On Thu, 2005-12-08 at 07:45 -0800, Jerry Kaidor wrote:
> Hello,
>     I note that when trying to get a Win2K roadwarrier - NAT -
> Linux/Openswan link running ( haven't succeeded yet ) I keep getting
> errors in the /var/log/secure to the general gist of "Can't find a
> connection definition that matches these two peers", when it's trying
> to set up the IPSEC SA.  Yet the ISAKMP SA has already been set up
> with the existing connection definitions.
>    What is it that an IPSEC SA requires in connection defs that an ISAKMP
> SA does not?
ISAKMP needs the 2 security gateway hosts to authenticate each other and
agree to start negotiating IPSec stuff. It uses the left/right addresses
and ids, along with the requested authentication mechanism. This is the
phase 1 negotiation, also called Main mode. It's evidently working for

Once ISAKMP is established, IPsec SAs (possibly more than 1) can be
negotiated over the ISAKMP secure channel. This negotiation (phase 2,
AKA quick mode) is where stuff like left/rightsubnet, pfs, compress etc
are used. A mismatch in those parameters is causing your problem.
Generally I've found that the log messages make it quite clear where the
mismatch is.

>    Also, could anybody point me at a document that explains the general
> process of setting up an IPSEC connection, from a protocol standpoint?
RFC2408, 2409, etc.

>    Thanks,
>                        - Jerry Kaidor ( jerry at tr2.com )
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
Andy <fs at globalnetit.com>

More information about the Users mailing list