[Openswan Users] cannot respond to IPsec SA request because no connection is known

Siegfried Fischler siegfried.fischler2 at bluewin.ch
Tue Jul 12 21:09:16 CEST 2005 

Hi,

I am desperate to get a openswan 2.3.1 server running. However, the log
message "cannot respond to IPsec SA request because no connection is known
for 83.76.30.25/32===195.210.210.2[C=YY, ST=YYY, L=YYY, O=YYY, OU=YYY,
CN=YYY, E=YYY]:17/0...62.202.163.82[C=XX, ST=XXX, L=XXX, O=XXX, OU=XX,
CN=XXX, E=XXX]:17/1701" obviously torpedoes all my efforts...The topology I
use is:


"roadwarrior"
 dynamicIP
     |
     |
  Internet
     |
     |
 dynamicIP
  "DSL" with NAT (all ports are forwarded to openswan server)
195.210.210.1
     |
     |
195.210.210.2
"openswan server with NAT-T"
 192.168.1.1
     |
     |
    LAN

The ipsec.conf is according nate's page
http://www.natecarlson.com/linux/ipsec-l2tp.php

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	interfaces=%defaultroute
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

# Add connections here
conn %default
	keyingtries=1
	compress=yes
	disablearrivalcheck=no
	authby=rsasig
	leftrsasigkey=%cert
	rightrsasigkey=%cert

conn roadwarrion-net
	leftsubnet=192.168.1.0/24
	also=roadwarrior

conn roadwarrior-all
	leftsubnet=0.0.0.0
	also=roadwarrior

conn roadwarrior
	left=%defaultroute
	leftcert=pegasuscert.pem
	right=%any
	rightsubnet=vhost:%no,%priv
	auto=add
	pfs=yes

conn roadwarrior-l2tp
	type=transport
	left=%defaultroute
	leftcert=pegasuscert.pem
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/1701
	pfs=no
	auto=add

conn roadwarrior-l2tp-oldwin
	left=%defaultroute
	leftcert=pegasuscert.pem
	leftprotoport=17/0
	right=%any
	rightprotoport=17/1701
	rightsubnet=vhost:%no,%priv
	pfs=no
	auto=add

conn block
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore

the log file shows

Jul 12 18:14:38 pegasus pluto[3910]: packet from 62.202.163.82:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jul 12 18:14:38 pegasus pluto[3910]: "roadwarrior-l2tp"[1] 62.202.163.82 #1:
responding to Main Mode from unknown peer 62.202.163.82
Jul 12 18:14:38 pegasus pluto[3910]: "roadwarrior-l2tp"[1] 62.202.163.82 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 12 18:14:38 pegasus pluto[3910]: "roadwarrior-l2tp"[1] 62.202.163.82 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 12 18:14:39 pegasus pluto[3910]: "roadwarrior-l2tp"[1] 62.202.163.82 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, ST=XXX, L=XXX, O=XXX, OU=XX,
CN=XXX, E=XXX'
Jul 12 18:14:39 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
deleting connection "roadwarrior-l2tp" instance with peer 62.202.163.82
{isakmp=#0/ipsec=#0}
Jul 12 18:14:39 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
I am sending my cert
Jul 12 18:14:39 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 12 18:14:39 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
sent MR3, ISAKMP SA established
Jul 12 18:14:40 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
cannot respond to IPsec SA request because no connection is known for
83.76.30.25/32===195.210.210.2[C=YY, ST=YYY, L=YYY, O=YYY, OU=YYY, CN=YYY,
E=YYY]:17/0...62.202.163.82[C=XX, ST=XXX, L=XXX, O=XXX, OU=XX, CN=XXX,
E=XXX]:17/1701
Jul 12 18:14:40 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
sending encrypted notification INVALID_ID_INFORMATION to 62.202.163.82:500
Jul 12 18:14:40 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
failed to build notification for spisize=0
Jul 12 18:14:41 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x1d45c0c3 (perhaps this is a duplicated packet)
Jul 12 18:14:41 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
sending encrypted notification INVALID_MESSAGE_ID to 62.202.163.82:500
Jul 12 18:14:41 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
failed to build notification for spisize=0
Jul 12 18:14:43 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x1d45c0c3 (perhaps this is a duplicated packet)
Jul 12 18:14:43 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
sending encrypted notification INVALID_MESSAGE_ID to 62.202.163.82:500
Jul 12 18:14:43 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
failed to build notification for spisize=0
Jul 12 18:14:47 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x1d45c0c3 (perhaps this is a duplicated packet)
Jul 12 18:14:47 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
sending encrypted notification INVALID_MESSAGE_ID to 62.202.163.82:500
Jul 12 18:14:47 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
failed to build notification for spisize=0
Jul 12 18:14:55 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x1d45c0c3 (perhaps this is a duplicated packet)
Jul 12 18:14:55 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
sending encrypted notification INVALID_MESSAGE_ID to 62.202.163.82:500
Jul 12 18:14:55 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
failed to build notification for spisize=0
Jul 12 18:15:11 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x1d45c0c3 (perhaps this is a duplicated packet)
Jul 12 18:15:11 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
sending encrypted notification INVALID_MESSAGE_ID to 62.202.163.82:500
Jul 12 18:15:11 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
failed to build notification for spisize=0
Jul 12 18:15:43 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82 #1:
received Delete SA payload: deleting ISAKMP State #1
Jul 12 18:15:43 pegasus pluto[3910]: "roadwarrior-l2tp"[2] 62.202.163.82:
deleting connection "roadwarrior-l2tp" instance with peer 62.202.163.82
{isakmp=#0/ipsec=#0}
Jul 12 18:15:43 pegasus pluto[3910]: packet from 62.202.163.82:500: received
and ignored informational message

I could successfully establish an IPsec connection, when the roadwarrior
host was physically attached to the 195.210.210.0 network.

More information about the Users mailing list