[Openswan Users]

Paul Wouters paul at xelerance.com
Wed Jul 13 02:56:30 CEST 2005

On Tue, 12 Jul 2005, Siegfried Fischler wrote:

> I am desperate to get a openswan 2.3.1 server running. However, the log
> message "cannot respond to IPsec SA request because no connection is known
> CN=YYY, E=YYY]:17/0...[C=XX, ST=XXX, L=XXX, O=XXX, OU=XX,

What is It is asking for 17/0. This is some windows XP without
proper updates or some old MacOSX client? It also means this client is doing
L2TP and not pure IPsec with X509 certificates.

> conn roadwarrion-net
> 	leftsubnet=
> 	also=roadwarrior
> conn roadwarrior-all
> 	leftsubnet=
> 	also=roadwarrior
> conn roadwarrior
> 	left=%defaultroute
> 	leftcert=pegasuscert.pem
> 	right=%any
> 	rightsubnet=vhost:%no,%priv
> 	auto=add
> 	pfs=yes
> conn roadwarrior-l2tp
> 	type=transport
> 	left=%defaultroute
> 	leftcert=pegasuscert.pem
> 	leftprotoport=17/1701
> 	right=%any
> 	rightprotoport=17/1701
> 	pfs=no
> 	auto=add

Unfortunately, openswan cannot always distinguish between incoming 
connections in time to decide whether something is a pure X509 or whether
it is an L2TP X509 roadwarrior. You are adding both. I wonder if one of
them isn't failing with "roadwarrior conflicts with roadwarrior-l2tp"?

The first thing to do is change 17/1701 to 17/%any and see if that fixes
your problem of the client asking for the wrong thing.

Second, can you add rightsubnet=vhost:%no,%priv to roadwarrior-l2tp? If
it refuses this with type=transport, remove the type=transport, it will
work without it being explicitely configured.

I am very interested in the results of these changes. If you mail back,
please do not cut too much text so I do not lose the context. Thanks!


   "I am not even supposed to be here today!"  -- Clerk

More information about the Users mailing list