paul at xelerance.com
Wed Jul 13 17:54:17 CEST 2005
On Wed, 13 Jul 2005, Siegfried Fischler wrote:
> I was aware that 17/0 L2TP port request is "the old fashion" way, but I
> don't wanted to work on too many "issues" at the same time. I believe that
Unfortunately, you can't just ignore one problem and tackle your other
> the log message "cannot respond to IPsec SA request because no connection is
> known for <any dynamic IP adr of internet router>/32===<static IP adr of
> openswan server>[certificate related blahblah]:17/0...<any dynamic IP adr
> for roadwarrior>[certificate related blahblah]:17/1701" is the key to solve
> this issue. I realised that many other user's do have the same problem...
Yes, unfortunately, that error means about as much as "something, somewhere has
been misconfigured somehow".
> I tested your proposal without luck. The very same log message keeps on
> coming up. Note that "17/%any" did not work at all with the openswan 2.3.1
> installed on the test server,
How did it not work? Did it accept it? Openswan 2.3.1 should accept the syntax,
and you should leave it in, and not change it for 17/0.
> log just shows that pluto is using "roadwarrior-l2tp" connection settings.
> Please find below all the log messages for the trial ipsec/l2tp session
Is it the only conn you have added?
> # Down below is the unsuccessful connection attempt from a dial-up WinXP
> roadwarrior, recorded until WinXP shows "error 792".
> # Note that
> # 220.127.116.11 is the dynamic WinXP client IP address
> # 18.104.22.168 is the dynamic DSL router IP address, which connects the
> openswan server to the internet
> # 22.214.171.124 is the static openswan server IP address
Your openswan server is behind NAT??
Did you apply the registry hack for making Windows XP SP2 and higher accept
connections to VPN servers behind NAT? You might not need it now, since
you are using an unpatched Windows XP client (hence the 17/0 problem) but
as soon as you upgrade the XP machine, you will need it.
> Jul 13 11:50:08 pegasus pluto: "roadwarrior-l2tp" 126.96.36.199
> #1: cannot respond to IPsec SA request because no connection is known for
> 188.8.131.52/32===184.108.40.206[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx, CN=xxx,
> E=xxx]:17/0...220.127.116.11[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx, CN=xxx,
Did you have rightsubnet=vhost:%priv.%no? (If you get an error about transport
mode and subnet not being allowed, remove 'type=transport' from the connection.
> # This show the successful session with the same WinXP client now attached
> within the 18.104.22.168 network. Again, the client
> # get from a DHCP server it IP address, which is in this case
So when there is no NAT. See above.
> Paul, can you confirm that anybody already did openswan run with dial-up
I have not run with a dial-up client. I have run with XP machines behind NAT
using L2TP. I have not personally put openswan servers behind NAT.
> Can you enlighten me and give me a hint what the log shows after
> the message "cannot respond to IPsec SA request because no connection is
> known for 22.214.171.124/32===126.96.36.199[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
> CN=xxx, E=xxx]:17/0...188.8.131.52[C=xx, ST=xxx, L=xxx, O=xxx, OU=xx,
> CN=xxx, E=xxx]:17/1701"?
Ignore what comes after that. It is just errors in response to errors (that
do need to be addressed but are not your problem)
More information about the Users