paul at xelerance.com
Wed Jul 13 02:56:30 CEST 2005
On Tue, 12 Jul 2005, Siegfried Fischler wrote:
> I am desperate to get a openswan 2.3.1 server running. However, the log
> message "cannot respond to IPsec SA request because no connection is known
> for 18.104.22.168/32===22.214.171.124[C=YY, ST=YYY, L=YYY, O=YYY, OU=YYY,
> CN=YYY, E=YYY]:17/0...126.96.36.199[C=XX, ST=XXX, L=XXX, O=XXX, OU=XX,
What is 188.8.131.52? It is asking for 17/0. This is some windows XP without
proper updates or some old MacOSX client? It also means this client is doing
L2TP and not pure IPsec with X509 certificates.
> conn roadwarrion-net
> conn roadwarrior-all
> conn roadwarrior
> conn roadwarrior-l2tp
Unfortunately, openswan cannot always distinguish between incoming
connections in time to decide whether something is a pure X509 or whether
it is an L2TP X509 roadwarrior. You are adding both. I wonder if one of
them isn't failing with "roadwarrior conflicts with roadwarrior-l2tp"?
The first thing to do is change 17/1701 to 17/%any and see if that fixes
your problem of the client asking for the wrong thing.
Second, can you add rightsubnet=vhost:%no,%priv to roadwarrior-l2tp? If
it refuses this with type=transport, remove the type=transport, it will
work without it being explicitely configured.
I am very interested in the results of these changes. If you mail back,
please do not cut too much text so I do not lose the context. Thanks!
"I am not even supposed to be here today!" -- Clerk
More information about the Users