[Openswan Users]

Paul Wouters paul at xelerance.com
Wed Jul 13 17:54:17 CEST 2005 

On Wed, 13 Jul 2005, Siegfried Fischler wrote:

> I was aware that 17/0 L2TP port request is "the old fashion" way, but I
> don't wanted to work on too many "issues" at the same time. I believe that

Unfortunately, you can't just ignore one problem and tackle your other
problem.

> the log message "cannot respond to IPsec SA request because no connection is
> known for <any dynamic IP adr of internet router>/32===<static IP adr of
> openswan server>[certificate related blahblah]:17/0...<any dynamic IP adr
> for roadwarrior>[certificate related blahblah]:17/1701" is the key to solve
> this issue. I realised that many other user's do have the same problem...

Yes, unfortunately, that error means about as much as "something, somewhere has
been misconfigured somehow".

> I tested your proposal without luck. The very same log message keeps on
> coming up. Note that "17/%any" did not work at all with the openswan 2.3.1
> installed on the test server,

How did it not work? Did it accept it? Openswan 2.3.1 should accept the syntax,
and you should leave it in, and not change it for 17/0.

> log just shows that pluto is using "roadwarrior-l2tp" connection settings.
> Please find below all the log messages for the trial ipsec/l2tp session
> attempt:

Is it the only conn you have added?

> # Down below is the unsuccessful connection attempt from a dial-up WinXP
> roadwarrior, recorded until WinXP shows "error 792".
> # Note that
> # 62.202.193.205 is the dynamic WinXP client IP address
> # 81.62.18.37 is the dynamic DSL router IP address, which connects the
> openswan server to the internet
> # 192.210.210.2 is the static openswan server IP address

Your openswan server is behind NAT??
Did you apply the registry hack for making Windows XP SP2 and higher accept
connections to VPN servers behind NAT? You might not need it now, since
you are using an unpatched Windows XP client (hence the 17/0 problem) but
as soon as you upgrade the XP machine, you will need it.

> Jul 13 11:50:08 pegasus pluto[14038]: "roadwarrior-l2tp"[2] 62.202.193.205
> #1: cannot respond to IPsec SA request because no connection is known for
> 81.62.18.37/32===195.210.210.2[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx, CN=xxx,
> E=xxx]:17/0...62.202.193.205[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx, CN=xxx,
> E=xxx]:17/1701

Did you have rightsubnet=vhost:%priv.%no? (If you get an error about transport
mode and subnet not being allowed, remove 'type=transport' from the connection.

> # This show the successful session with the same WinXP client now attached
> within the 195.210.210.0 network. Again, the client
> # get from a DHCP server it IP address, which is in this case
> 195.210.210.11.

So when there is no NAT. See above.

> Paul, can you confirm that anybody already did openswan run with dial-up
> client??

I have not run with a dial-up client. I have run with XP machines behind NAT
using L2TP. I have not personally put openswan servers behind NAT.

> Can you enlighten me and give me a hint what the log shows after
> the message "cannot respond to IPsec SA request because no connection is
> known for 81.62.18.37/32===195.210.210.2[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
> CN=xxx, E=xxx]:17/0...62.202.193.205[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
> CN=xxx, E=xxx]:17/1701"?

Ignore what comes after that. It is just errors in response to errors (that
do need to be addressed but are not your problem)

Paul

More information about the Users mailing list