[Openswan Users] Again: "no connection is known for..."

Piero Filippin filippinp at yahoo.co.uk
Wed Mar 23 12:43:20 CET 2005 

I know that this was requested MANY times,on MANY forums/mailing lists but I still have to find a solution for thisproblem.

 

I want to setup IPCop soit permits a connection to the GREEN network only through a VPN connection tothe laptop (which is a standalone machine, not connected to a network).

 

My configuration is:

 

WinXPSP2 Laptop  -->  Access point --> IPCop Box (blue)--> IPCop box green

192.168.1.110                         192.168.1.100      192.168.0.199

 

The laptop gets itsaddress from blue interface DHCP.

 

I have setup the certificateswith IPCop and the laptop VPN connection accordingly to: http://www.jacco2.dds.nl/networking/win2000xp-freeswan.html.

Windows XP tries toconnect, but timeout after a while: #8220;error 792: TheL2TP connection attempt failed because security negotiation timed out#8221;.

 

On the IPCop box:

 

Mar 18 14:43:03ipcop pluto[695]: "Laptop"[1] 192.168.1.110 #1: cannot respond toIPsec SA request because no connection is known for 192.168.1.100[C=UK,O=Initiative, CN=initiative.localdomain]:17/1701...192.168.1.110[C=UK,O=Initiative, CN=Piero Laptop]:17/1701

 

Output from ipsec auto--status:

 

[...]

000 "Laptop": 192.168.0.0/24===192.168.1.100[C=UK,O=Initiative, CN=initiative.localdomain]...%virtual[C=UK, O=Initiative,CN=Piero Laptop]

[...]

 

This is different fromeverything I have seen looking around: it looks like the windows client istrying to negotiate:

 

192.168.1.100 <-> 192.168.1.110

 

instead of:

 

192.168.0.0/24===192.168.1.100 <-> 192.168.1.110

 

so the connection doesnot match anything in ipsec.conf

 

This is my/etc/ipsec.conf  (automatically generated by IPCop)

 

config setup

     interfaces=ipsec0=eth2

     klipsdebug=none

     plutodebug=none

     plutoload=%search

     plutostart=%search

     uniqueids=yes

     nat_traversal=yes

    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/255.255.255.0,%v4:!192.168.1.0/255.255.255.0

 

conn %default

     keyingtries=0

     disablearrivalcheck=no

 

conn Laptop

     left=192.168.1.100

     leftsubnet=192.168.0.0/24

     leftcert=/var/ipcop/certs/hostcert.pem

     right=%any

     rightsubnet=vhost:%no,%priv

     rightcert=/var/ipcop/certs/Laptopcert.pem

     authby=rsasig

     auto=add

 

That should mean that theblue interface (left=192.168.1.100) should allow from any IP address(right=%any) a connection to the green subnet (leftsubnet=192.168.0.0/24)through the VPN .

 

On the IPCop box messagelog:

Mar 18 14:43:02 ipcop pluto[695]: packet from192.168.1.110:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Mar 18 14:43:02 ipcop pluto[695]: packet from192.168.1.110:500: ignoring Vendor ID payload [FRAGMENTATION]

Mar 18 14:43:02 ipcop pluto[695]: packet from192.168.1.110:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

Mar 18 14:43:02 ipcop pluto[695]: packet from192.168.1.110:500: ignoring Vendor ID payload[26244d38eddb61b3172a36e3d0cfb819]

Mar 18 14:43:02 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: responding to Main Mode from unknown peer 192.168.1.110

Mar 18 14:43:02 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: transition from state (null) to state STATE_MAIN_R1

Mar 18 14:43:02 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:no NAT detected

Mar 18 14:43:02 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Mar 18 14:43:03 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, O=Initiative,CN=Piero Laptop'

Mar 18 14:43:03 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Mar 18 14:43:03 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: sent MR3, ISAKMP SA established

Mar 18 14:43:03ipcop pluto[695]: "Laptop"[1] 192.168.1.110 #1: cannot respond toIPsec SA request because no connection is known for 192.168.1.100[C=UK,O=Initiative, CN=initiative.localdomain]:17/1701...192.168.1.110[C=UK,O=Initiative, CN=Piero Laptop]:17/1701

Mar 18 14:43:03 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: sending encrypted notification INVALID_ID_INFORMATION to192.168.1.110:500

Mar 18 14:43:03 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: Quick Mode I1 message is unacceptable because it uses apreviously used Message ID 0xbfa9483d (perhaps this is a duplicated packet)

Mar 18 14:43:03 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: sending encrypted notification INVALID_MESSAGE_ID to192.168.1.110:500

Mar 18 14:43:05 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: Quick Mode I1 message is unacceptable because it uses apreviously used Message ID 0xbfa9483d (perhaps this is a duplicated packet)

Mar 18 14:43:05 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: sending encrypted notification INVALID_MESSAGE_ID to192.168.1.110:500

Mar 18 14:43:09 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: Quick Mode I1 message is unacceptable because it uses apreviously used Message ID 0xbfa9483d (perhaps this is a duplicated packet)

Mar 18 14:43:09 ipcop pluto[695]: "Laptop"[1]192.168.1.110 #1: sending encrypted notification INVALID_MESSAGE_ID to192.168.1.110:500

 

Another strange thing: itseems that the VPN server sends some messages back to the windows machines (thatreceives them, I see them with Ethereal) but the windows machine ignoresthem, and keep retrying sending the same message (and getting back an error, asthe message is a duplicate). 

 

I hope that someone isable to help me.

 

 


Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050323/5c348a3d/attachment.htm

More information about the Users mailing list