[Openswan Users] cannot respond to IPsec SA request because no connection is known

Markus Hanauska hanauska at equinux.net
Thu Mar 31 17:35:55 CEST 2005 

Hello everyone!

I wanted to test out the mode config feature of OpenSWan 2.3, so we  
created a little test setup. I don't want the IPs to be seen in  
public, hence here is what you need to know.

My computer: x.y.z.58
VPN gateway with OpenSWan: a.b.c.110

Both networks are totally different (a != x, b != y, c != z).
The gateway has a second network card, with a 192.168.* private  
network behind it, but that plays no role in this case.

My ipsec.conf reads the following (I left out the debugging options;  
typing mistakes possible, but the real file has no mistakes):

conn test
     # left ist local, right is remote
     left=a.b.c.110
     # Don't know if we need that, but doesn't hurt I guess
     leftsubnet=0.0.0.0/0
     leftxauthserver=yes
     leftmodecfgserver=yes

     right=%any
     rightsubnet=10.1.2.3/32
     # Don't know if we need that
     rightnexthop=a.b.c.110
     authby=secret
     auto=add
     compress=no

The ipsec.secrets is

a.b.c.110 %any : PSK "secret"

Now if I connect, phase 1 succeeds without errors. XAUTH is  
successful and Mode Config, too. We get the IP address 10.1.2.3  
assigned in the Mode Config Phase, but subnet is 8 times zero (why 8  
times? It should be only four times; and why zero? It should be  
255.255.255.255)

But that's not the problem. Mode Config is very buggy in multiple  
ways. First, the IP address parameter of Mode Config is to assign the  
client an IP address, not to tell him the IP of the remote network.  
Second, the handling of the initial vector is broken if the client  
sends out an active request (request/reply), I could only get these  
Mode Config values using passive mode (set/acknowledge).

The problem I have at the moment is of a different kind. Pluto says:

"test"[1] x.y.z.58 #1: cannot respond to IPsec SA request because no  
connection is known for 195.168.13.0/24===a.b.c.110[MS+XS+S=C] ...  
x.y.z.58===10.1.2.3/32

Despite the fact, that I have no idea what 195.168.13.0/24 is, it's  
not the address of any network or any NIC in the test environment, it  
can't be found in any config file on the whole machine, I don't know  
what he complains about. Where is the problem? Why can't he complete  
phase 2?

On the client side I don't use OpenSWan, so I can't get you any  
config. But be assured that phase 1 and phase 2 settings are correct  
and the IP addresses are used as local and remote identifier.

The problem is not Mode Config related, because disabling it on both  
sides has no different effect.

-- 
Best Regards,
     Markus Hanauska

More information about the Users mailing list