[Openswan Users] Again: "no connection is known for..."

Filippin, Piero P.Filippin at wlv.ac.uk
Wed Mar 30 12:14:59 CEST 2005 

It is a shame that on IPCop mailing list there is no one supporting me
about VPNs... Sorry to bother you about something that seems a IPCop
problem (I think that IPCop writes the ipsec config wrong, this is not a
"bug" or a "problem" with openswan). 

 

I had to change the ipcop created connection:

*         Removed the "leftsubnet" line (that doesn't look good, now
where I can setup which network the VPN give access to?? - the l2tpd
will handle this?)

*         Added the "pfs=no" - I don't know what this means, but if not
pluto complains about pfs, now it's happy

*         Added the two proto/port lines

 

config setup

        interfaces=ipsec0=eth2

        klipsdebug=none

        plutodebug=none

        plutoload=%search

        plutostart=%search

        uniqueids=yes

        nat_traversal=yes

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!192.168.0.0/255.255.255.0,%v4:!192.168.1.0/255.255.255.0

 

conn %default

        keyingtries=0

        disablearrivalcheck=no

 

conn Laptop

        left=192.168.1.100

        leftcert=/var/ipcop/certs/hostcert.pem

        leftprotoport=17/1701

        rightprotoport=17/1701

        right=%any

        rightsubnet=vhost:%no,%priv

        rightcert=/var/ipcop/certs/Laptopcert.pem

        dpddelay=30

        dpdtimeout=120

        dpdaction=clear

        authby=rsasig

        auto=add

        pfs=no

 

Now it kooks like the connection is established... Note that is I touch
the IPCop VPN web configuration, that will overwrite ipsec.conf, so I
think I will have to modify the web scripts.

 

Mar 30 10:04:13 ipcop pluto[9156]: packet from 192.168.1.108:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Mar 30 10:04:13 ipcop pluto[9156]: packet from 192.168.1.108:500:
ignoring Vendor ID payload [FRAGMENTATION]

Mar 30 10:04:13 ipcop pluto[9156]: packet from 192.168.1.108:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

Mar 30 10:04:13 ipcop pluto[9156]: packet from 192.168.1.108:500:
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #1:
responding to Main Mode from unknown peer 192.168.1.108

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #1:
transition from state (null) to state STATE_MAIN_R1

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=UK, O=Initiative, CN=Piero Laptop'

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #1: sent
MR3, ISAKMP SA established

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #2:
responding to Quick Mode

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #2:
transition from state (null) to state STATE_QUICK_R1

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Mar 30 10:04:13 ipcop pluto[9156]: "Laptop"[1] 192.168.1.108 #2: IPsec
SA established

 

The last line looks like a "good one", but windows still does not
realize it and timeout after a while... Time to setup l2tpd I think...

 

Any comment?

 

Piero

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050330/0b25d8a8/attachment-0001.htm

More information about the Users mailing list