[Openswan Users]

Wed Jul 13 02:56:30 CEST 2005

On Tue, 12 Jul 2005, Siegfried Fischler wrote:

> I am desperate to get a openswan 2.3.1 server running. However, the log
> message "cannot respond to IPsec SA request because no connection is known
> for 83.76.30.25/32===195.210.210.2[C=YY, ST=YYY, L=YYY, O=YYY, OU=YYY,
> CN=YYY, E=YYY]:17/0...62.202.163.82[C=XX, ST=XXX, L=XXX, O=XXX, OU=XX,

What is 83.76.30.25? It is asking for 17/0. This is some windows XP without
proper updates or some old MacOSX client? It also means this client is doing
L2TP and not pure IPsec with X509 certificates.

> conn roadwarrion-net
> 	leftsubnet=192.168.1.0/24
> 	also=roadwarrior
>
> conn roadwarrior-all
> 	leftsubnet=0.0.0.0
> 	also=roadwarrior
>
> conn roadwarrior
> 	left=%defaultroute
> 	leftcert=pegasuscert.pem
> 	right=%any
> 	rightsubnet=vhost:%no,%priv
> 	auto=add
> 	pfs=yes
>
> conn roadwarrior-l2tp
> 	type=transport
> 	left=%defaultroute
> 	leftcert=pegasuscert.pem
> 	leftprotoport=17/1701
> 	right=%any
> 	rightprotoport=17/1701
> 	pfs=no
> 	auto=add

Unfortunately, openswan cannot always distinguish between incoming 
connections in time to decide whether something is a pure X509 or whether
it is an L2TP X509 roadwarrior. You are adding both. I wonder if one of
them isn't failing with "roadwarrior conflicts with roadwarrior-l2tp"?

The first thing to do is change 17/1701 to 17/%any and see if that fixes
your problem of the client asking for the wrong thing.

Second, can you add rightsubnet=vhost:%no,%priv to roadwarrior-l2tp? If
it refuses this with type=transport, remove the type=transport, it will
work without it being explicitely configured.

I am very interested in the results of these changes. If you mail back,
please do not cut too much text so I do not lose the context. Thanks!

Paul
-- 

   "I am not even supposed to be here today!"  -- Clerk