[Openswan Users] decyphering "cannot respond to IPsec SA request"

Christian Brechbühler brechbuehler at gmail.com
Wed Feb 15 22:33:05 CET 2006 

Hi Jacco,

Glad to hear from you; actually I used your web page as my guide when
setting things up.  I'm sure it's an error in my configuration -- I
just would like some more output pointing at what's wrong.  That's
what I was looking for in the source.

Yes, there's a NAT, my home router. The client has the private address
192.168.2.60, while our provider assigns a public address to the
outside of our router by DHCP.  It seems correctly detected, and
tcpdump shows that both sides are switching from port 500 to 4500, as
I expected.

Yes, I checked, I had specified "authby=secret" for that one
connection; people keep saying PSK is easier to get working than
certificates (earlier I got an Openswan client to work with
certificates).  Nevertheless I had specified a rightcert, because the
server has one.
Anyway, after your question I went back and took that authby out, and
unchecked the IPsec secret box in windows.  PSK is gone.  The results
are much the same as before -- "because no connection is known", only
that both sides are now identified by a certificate.
Here is the server(6.6.6.6)'s  ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
    plutodebug="all"
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    interfaces=%defaultroute

conn %default
    keyingtries=1
    compress=yes
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn l2tp
    rightprotoport=17/1701
    leftprotoport=17/1701
    pfs=no
    right=%defaultroute
    rightsubnet=10.0.0.0/24
    rightcert=lysithea-vpn.pem
    left=%any
    auto=ignore

include /etc/ipsec.d/examples/no_oe.conf

And here's what I find in the log:

| The following messages are prefixed [pluto] "l2tp"[1] 2.2.2.2 #223:
|     responding to Main Mode from unknown peer 2.2.2.2
|     transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
|     STATE_MAIN_R1: sent MR1, expecting MI2
|     NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
peer is NATed
|     transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
|     STATE_MAIN_R2: sent MR2, expecting MI3
|     Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Massachusetts,
L=Boston, O=EventMonitor, Inc., CN=cindy, E=brechbuehler at gmail.com'
|
| And here it switches to "l2tp"[2]:
|     deleting connection "l2tp" instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0}
|     I am sending my cert
|     transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
|     STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
|     cannot respond to IPsec SA request because no connection is
known for 6.6.6.6[C=US, ST=Massachusetts, L=Boston, O=EventMonitor,
Inc., CN=lysithea-vpn,
E=brechbuehler at gmail.com]:17/1701...2.2.2.2[C=US, ST=Massachusetts,
L=Boston, O=EventMonitor, Inc., CN=cindy,
E=brechbuehler at gmail.com]:17/1701
|     sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:48336

My questions: Why is no connection known?  How does one go about
debugging the configuration?

Thanks a lot

    Christian

On 2/15/06, Jacco de Leeuw <jacco2 at dds.nl> wrote:
>
> Christian Brechbühler wrote:
>
> > plutodebug=all seems to [...]
> > function quick_inI1_outR1_authtail (in ikev1_quick.c) if
> > find_client_connection returns null.  That function (in connections.c)
> > Is there a way to turn on more debug output?
>
> Don't use plutodebug=all. You shouldn't have to look in the source
> code. It's likely to be a configuration error, not a bug.
>
> > no connection is known for 66.92.59.63[C=US, ST=Massachusetts, L=Boston,
> > O=EventMonitor, Inc., CN=lea-vpn, E=brechbuehler at gmail.com]:17/1701...
> > 42.61.74.263[@IBM-A242175E87C]:17/1701
> >
> > authby=secret
>
> Are you sure you are using a PSK? Because this error message seems to
> indicate otherwise. And is there NAT involved somewhere?
>
> > Is there a way to turn on more debug output?  Or to determine WHY
> > pluto thinks that no connection exists?
>
> You should post your ipsec.conf.
>
> Jacco
> --
> Jacco de Leeuw                         mailto:jacco2 at dds.nl
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>

More information about the Users mailing list