[Openswan Users] ipsec problems...

Malcolm Amir Hussain-Gambles malcolm at secpay.com
Thu May 26 12:12:13 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are trying to get an IPSec connection from a laptop (starting with
linux) behind a nat device to the office network but keep getting this
error. We've been trying for ages and can't seem to crack this.
We have the certs or secrets working fine and are using openswan-2.3.1-1
on fc3 with openswan-klips-2.3.1-2.6.10_1.770 (with the correct kernel)

this is an extract of the problem...

May 26 10:59:47 ripon pluto[21064]: "roadwarrior"[2] xx.xx.xx.xx #1:
sent MR3, ISAKMP SA established 

May 26 10:59:47 ripon pluto[21064]: |
processing connection roadwarrior[2] xx.xx.xx.xx May 26
10:59:47 ripon pluto[21064]: "roadwarrior"[2] 86.130.241.37 #1: cannot
respond to IPsec SA request because no connection is known for
xx.xx.xx.xx [cert details here]===192.168.1.5/32 

May 26 10:59:47 ripon pluto[21064]: "roadwarrior"[2]
xx.xx.xx.xx #1: sending encrypted notification INVALID_ID_INFORMATION
to xx.xx.xx.xx:50446


and the config...
version 2

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        klipsdebug=all
        plutodebug=dns
        virtual_private=%v4:192.168.0.0/16,%v4:!192.168.2.0/24

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior
        type=tunnel
        left=%defaultroute
        leftsubnet=192.168.2.0/24
        leftcert=server.pem
        compress=yes
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=no

we have tried pfs with yes and no and removed the compress and tried
removing the leftsubnet, but with no luck, any help would be greatly
appreciated!

- -- 

Malcolm Amir Hussain-Gambles
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFClaD9ohirVZpk3jQRAnAWAJwLItsrAnyfwzaFikLCdIcpVwXf0QCfYaRX
P33JiL8tLVh/Uari1JjM/n0=
=ldrS
-----END PGP SIGNATURE-----


More information about the Users mailing list