[Openswan Users]

Siegfried Fischler siegfried.fischler2 at bluewin.ch
Wed Jul 13 13:14:07 CEST 2005 

Paul,

I was aware that 17/0 L2TP port request is "the old fashion" way, but I
don't wanted to work on too many "issues" at the same time. I believe that
the log message "cannot respond to IPsec SA request because no connection is
known for <any dynamic IP adr of internet router>/32===<static IP adr of
openswan server>[certificate related blahblah]:17/0...<any dynamic IP adr
for roadwarrior>[certificate related blahblah]:17/1701" is the key to solve
this issue. I realised that many other user's do have the same problem...

I tested your proposal without luck. The very same log message keeps on
coming up. Note that "17/%any" did not work at all with the openswan 2.3.1
installed on the test server, thus I changed it straight into "17/0". The
log just shows that pluto is using "roadwarrior-l2tp" connection settings.
Please find below all the log messages for the trial ipsec/l2tp session
attempt:

Jul 13 11:48:15 pegasus ipsec__plutorun: Starting Pluto subsystem...
Jul 13 11:48:15 pegasus pluto[14038]: Starting Pluto (Openswan Version
cvs2002Mar12_02:19:03 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OEkhB\177Vmnzed)
Jul 13 11:48:15 pegasus pluto[14038]: Setting port floating to on
Jul 13 11:48:15 pegasus pluto[14038]: port floating activate 1/1
Jul 13 11:48:15 pegasus pluto[14038]:   including NAT-Traversal patch
(Version 0.6c)
Jul 13 11:48:15 pegasus pluto[14038]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul 13 11:48:15 pegasus pluto[14038]: starting up 1 cryptographic helpers
Jul 13 11:48:15 pegasus pluto[14038]: started helper pid=14046 (fd:6)
Jul 13 11:48:15 pegasus pluto[14038]: Using KLIPS IPsec interface code
Jul 13 11:48:15 pegasus pluto[14038]: Changing to directory
'/etc/ipsec.d/cacerts'
Jul 13 11:48:15 pegasus pluto[14038]:   loaded CA cert file 'cacert.pem'
(1342 bytes)
Jul 13 11:48:15 pegasus pluto[14038]: Changing to directory
'/etc/ipsec.d/aacerts'
Jul 13 11:48:15 pegasus pluto[14038]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jul 13 11:48:15 pegasus pluto[14038]: Changing to directory
'/etc/ipsec.d/crls'
Jul 13 11:48:15 pegasus pluto[14038]:   loaded crl file 'crl.pem' (536
bytes)
Jul 13 11:48:16 pegasus pluto[14038]:   loaded host cert file
'/etc/ipsec.d/certs/pegasuscert.pem' (3751 bytes)
Jul 13 11:48:16 pegasus pluto[14038]: added connection description
"roadwarrior-l2tp"
Jul 13 11:48:16 pegasus pluto[14038]:   loaded host cert file
'/etc/ipsec.d/certs/pegasuscert.pem' (3751 bytes)
Jul 13 11:48:16 pegasus pluto[14038]: added connection description
"roadwarrior"
Jul 13 11:48:16 pegasus pluto[14038]: listening for IKE messages
Jul 13 11:48:16 pegasus pluto[14038]: adding interface ipsec0/eth1
195.210.210.2:500
Jul 13 11:48:16 pegasus pluto[14038]: adding interface ipsec0/eth1
195.210.210.2:4500
Jul 13 11:48:16 pegasus pluto[14038]: loading secrets from
"/etc/ipsec.secrets"
Jul 13 11:48:16 pegasus pluto[14038]:   loaded private key file
'/etc/ipsec.d/private/pegasuskey.pem' (1724 bytes)
#
# Down below is the unsuccessful connection attempt from a dial-up WinXP
roadwarrior, recorded until WinXP shows "error 792".
# Note that
# 62.202.193.205 is the dynamic WinXP client IP address
# 81.62.18.37 is the dynamic DSL router IP address, which connects the
openswan server to the internet
# 192.210.210.2 is the static openswan server IP address
#
Jul 13 11:50:06 pegasus pluto[14038]: packet from 62.202.193.205:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jul 13 11:50:06 pegasus pluto[14038]: "roadwarrior-l2tp"[1] 62.202.193.205
#1: responding to Main Mode from unknown peer 62.202.193.205
Jul 13 11:50:06 pegasus pluto[14038]: "roadwarrior-l2tp"[1] 62.202.193.205
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 13 11:50:06 pegasus pluto[14038]: "roadwarrior-l2tp"[1] 62.202.193.205
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 13 11:50:07 pegasus pluto[14038]: "roadwarrior-l2tp"[1] 62.202.193.205
#1: Main mode peer ID is ID_DER_ASN1_DN: 'C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
CN=xxx, E=xxx'
Jul 13 11:50:07 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: deleting connection "roadwarrior-l2tp" instance with peer 62.202.193.205
{isakmp=#0/ipsec=#0}
Jul 13 11:50:07 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: I am sending my cert
Jul 13 11:50:07 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 13 11:50:07 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: sent MR3, ISAKMP SA established
Jul 13 11:50:08 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: cannot respond to IPsec SA request because no connection is known for
81.62.18.37/32===195.210.210.2[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx, CN=xxx,
E=xxx]:17/0...62.202.193.205[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx, CN=xxx,
E=xxx]:17/1701
Jul 13 11:50:08 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: sending encrypted notification INVALID_ID_INFORMATION to
62.202.193.205:500
Jul 13 11:50:08 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: failed to build notification for spisize=0
Jul 13 11:50:09 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x63497fa8 (perhaps this is a duplicated packet)
Jul 13 11:50:09 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: sending encrypted notification INVALID_MESSAGE_ID to 62.202.193.205:500
Jul 13 11:50:09 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: failed to build notification for spisize=0
Jul 13 11:50:11 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x63497fa8 (perhaps this is a duplicated packet)
Jul 13 11:50:11 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: sending encrypted notification INVALID_MESSAGE_ID to 62.202.193.205:500
Jul 13 11:50:11 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: failed to build notification for spisize=0
Jul 13 11:50:15 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x63497fa8 (perhaps this is a duplicated packet)
Jul 13 11:50:15 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: sending encrypted notification INVALID_MESSAGE_ID to 62.202.193.205:500
Jul 13 11:50:15 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: failed to build notification for spisize=0
Jul 13 11:50:23 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x63497fa8 (perhaps this is a duplicated packet)
Jul 13 11:50:23 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: sending encrypted notification INVALID_MESSAGE_ID to 62.202.193.205:500
Jul 13 11:50:23 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: failed to build notification for spisize=0
Jul 13 11:50:39 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x63497fa8 (perhaps this is a duplicated packet)
Jul 13 11:50:39 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: sending encrypted notification INVALID_MESSAGE_ID to 62.202.193.205:500
Jul 13 11:50:39 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: failed to build notification for spisize=0
Jul 13 11:51:11 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
#1: received Delete SA payload: deleting ISAKMP State #1
Jul 13 11:51:11 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205:
deleting connection "roadwarrior-l2tp" instance with peer 62.202.193.205
{isakmp=#0/ipsec=#0}
Jul 13 11:51:11 pegasus pluto[14038]: packet from 62.202.193.205:500:
received and ignored informational message
#
# This show the successful session with the same WinXP client now attached
within the 195.210.210.0 network. Again, the client
# get from a DHCP server it IP address, which is in this case
195.210.210.11.
#
Jul 13 11:52:01 pegasus pluto[14038]: packet from 195.210.210.11:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[3] 195.210.210.11
#2: responding to Main Mode from unknown peer 195.210.210.11
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[3] 195.210.210.11
#2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[3] 195.210.210.11
#2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[3] 195.210.210.11
#2: Main mode peer ID is ID_DER_ASN1_DN: 'C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
CN=xxx, E=xxx'
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#2: deleting connection "roadwarrior-l2tp" instance with peer 195.210.210.11
{isakmp=#0/ipsec=#0}
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#2: I am sending my cert
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#2: sent MR3, ISAKMP SA established
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#3: responding to Quick Mode {msgid:e11a6231}
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 13 11:52:01 pegasus pluto[14038]: "roadwarrior-l2tp"[4] 195.210.210.11
#3: IPsec SA established {ESP=>0xafbef4a6 <0x8808e835 xfrm=3DES_0-HMAC_MD5}

Paul, can you confirm that anybody already did openswan run with dial-up
client?? Can you enlighten me and give me a hint what the log shows after
the message "cannot respond to IPsec SA request because no connection is
known for 81.62.18.37/32===195.210.210.2[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
CN=xxx, E=xxx]:17/0...62.202.193.205[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
CN=xxx, E=xxx]:17/1701"?

Cheers,

Sigi

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Mittwoch, 13. Juli 2005 01:57
To: Siegfried Fischler
Cc: users at openswan.org
Subject: **SPAM** Re: [Openswan Users]


On Tue, 12 Jul 2005, Siegfried Fischler wrote:

> I am desperate to get a openswan 2.3.1 server running. However, the log
> message "cannot respond to IPsec SA request because no connection is known
> for 83.76.30.25/32===195.210.210.2[C=YY, ST=YYY, L=YYY, O=YYY, OU=YYY,
> CN=YYY, E=YYY]:17/0...62.202.163.82[C=XX, ST=XXX, L=XXX, O=XXX, OU=XX,

What is 83.76.30.25? It is asking for 17/0. This is some windows XP without
proper updates or some old MacOSX client? It also means this client is doing
L2TP and not pure IPsec with X509 certificates.

> conn roadwarrion-net
> 	leftsubnet=192.168.1.0/24
> 	also=roadwarrior
>
> conn roadwarrior-all
> 	leftsubnet=0.0.0.0
> 	also=roadwarrior
>
> conn roadwarrior
> 	left=%defaultroute
> 	leftcert=pegasuscert.pem
> 	right=%any
> 	rightsubnet=vhost:%no,%priv
> 	auto=add
> 	pfs=yes
>
> conn roadwarrior-l2tp
> 	type=transport
> 	left=%defaultroute
> 	leftcert=pegasuscert.pem
> 	leftprotoport=17/1701
> 	right=%any
> 	rightprotoport=17/1701
> 	pfs=no
> 	auto=add

Unfortunately, openswan cannot always distinguish between incoming
connections in time to decide whether something is a pure X509 or whether
it is an L2TP X509 roadwarrior. You are adding both. I wonder if one of
them isn't failing with "roadwarrior conflicts with roadwarrior-l2tp"?

The first thing to do is change 17/1701 to 17/%any and see if that fixes
your problem of the client asking for the wrong thing.

Second, can you add rightsubnet=vhost:%no,%priv to roadwarrior-l2tp? If
it refuses this with type=transport, remove the type=transport, it will
work without it being explicitely configured.

I am very interested in the results of these changes. If you mail back,
please do not cut too much text so I do not lose the context. Thanks!

Paul
--

   "I am not even supposed to be here today!"  -- Clerk

More information about the Users mailing list