cannot respond to IPsec SA request because no connection is known
hanauska at equinux.net
Thu Mar 31 17:35:55 CEST 2005
I wanted to test out the mode config feature of OpenSWan 2.3, so we
created a little test setup. I don't want the IPs to be seen in
public, hence here is what you need to know.
My computer: x.y.z.58
VPN gateway with OpenSWan: a.b.c.110
Both networks are totally different (a != x, b != y, c != z).
The gateway has a second network card, with a 192.168.* private
network behind it, but that plays no role in this case.
My ipsec.conf reads the following (I left out the debugging options;
typing mistakes possible, but the real file has no mistakes):
# left ist local, right is remote
# Don't know if we need that, but doesn't hurt I guess
# Don't know if we need that
The ipsec.secrets is
a.b.c.110 %any : PSK "secret"
Now if I connect, phase 1 succeeds without errors. XAUTH is
successful and Mode Config, too. We get the IP address 10.1.2.3
assigned in the Mode Config Phase, but subnet is 8 times zero (why 8
times? It should be only four times; and why zero? It should be
But that's not the problem. Mode Config is very buggy in multiple
ways. First, the IP address parameter of Mode Config is to assign the
client an IP address, not to tell him the IP of the remote network.
Second, the handling of the initial vector is broken if the client
sends out an active request (request/reply), I could only get these
Mode Config values using passive mode (set/acknowledge).
The problem I have at the moment is of a different kind. Pluto says:
"test" x.y.z.58 #1: cannot respond to IPsec SA request because no
connection is known for 18.104.22.168/24===a.b.c.110[MS+XS+S=C] ...
Despite the fact, that I have no idea what 22.214.171.124/24 is, it's
not the address of any network or any NIC in the test environment, it
can't be found in any config file on the whole machine, I don't know
what he complains about. Where is the problem? Why can't he complete
On the client side I don't use OpenSWan, so I can't get you any
config. But be assured that phase 1 and phase 2 settings are correct
and the IP addresses are used as local and remote identifier.
The problem is not Mode Config related, because disabling it on both
sides has no different effect.
More information about the Users