[Openswan Users] decyphering "cannot respond to IPsec SA request"
Christian Brechbühler
brechbuehler at gmail.com
Wed Feb 15 22:33:05 CET 2006
Hi Jacco,
Glad to hear from you; actually I used your web page as my guide when
setting things up. I'm sure it's an error in my configuration -- I
just would like some more output pointing at what's wrong. That's
what I was looking for in the source.
Yes, there's a NAT, my home router. The client has the private address
192.168.2.60, while our provider assigns a public address to the
outside of our router by DHCP. It seems correctly detected, and
tcpdump shows that both sides are switching from port 500 to 4500, as
I expected.
Yes, I checked, I had specified "authby=secret" for that one
connection; people keep saying PSK is easier to get working than
certificates (earlier I got an Openswan client to work with
certificates). Nevertheless I had specified a rightcert, because the
server has one.
Anyway, after your question I went back and took that authby out, and
unchecked the IPsec secret box in windows. PSK is gone. The results
are much the same as before -- "because no connection is known", only
that both sides are now identified by a certificate.
Here is the server(6.6.6.6)'s ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
plutodebug="all"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
interfaces=%defaultroute
conn %default
keyingtries=1
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn l2tp
rightprotoport=17/1701
leftprotoport=17/1701
pfs=no
right=%defaultroute
rightsubnet=10.0.0.0/24
rightcert=lysithea-vpn.pem
left=%any
auto=ignore
include /etc/ipsec.d/examples/no_oe.conf
And here's what I find in the log:
| The following messages are prefixed [pluto] "l2tp"[1] 2.2.2.2 #223:
| responding to Main Mode from unknown peer 2.2.2.2
| transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
| STATE_MAIN_R1: sent MR1, expecting MI2
| NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
peer is NATed
| transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
| STATE_MAIN_R2: sent MR2, expecting MI3
| Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Massachusetts,
L=Boston, O=EventMonitor, Inc., CN=cindy, E=brechbuehler at gmail.com'
|
| And here it switches to "l2tp"[2]:
| deleting connection "l2tp" instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0}
| I am sending my cert
| transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
| STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
| cannot respond to IPsec SA request because no connection is
known for 6.6.6.6[C=US, ST=Massachusetts, L=Boston, O=EventMonitor,
Inc., CN=lysithea-vpn,
E=brechbuehler at gmail.com]:17/1701...2.2.2.2[C=US, ST=Massachusetts,
L=Boston, O=EventMonitor, Inc., CN=cindy,
E=brechbuehler at gmail.com]:17/1701
| sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:48336
My questions: Why is no connection known? How does one go about
debugging the configuration?
Thanks a lot
Christian
On 2/15/06, Jacco de Leeuw <jacco2 at dds.nl> wrote:
>
> Christian Brechbühler wrote:
>
> > plutodebug=all seems to [...]
> > function quick_inI1_outR1_authtail (in ikev1_quick.c) if
> > find_client_connection returns null. That function (in connections.c)
> > Is there a way to turn on more debug output?
>
> Don't use plutodebug=all. You shouldn't have to look in the source
> code. It's likely to be a configuration error, not a bug.
>
> > no connection is known for 66.92.59.63[C=US, ST=Massachusetts, L=Boston,
> > O=EventMonitor, Inc., CN=lea-vpn, E=brechbuehler at gmail.com]:17/1701...
> > 42.61.74.263[@IBM-A242175E87C]:17/1701
> >
> > authby=secret
>
> Are you sure you are using a PSK? Because this error message seems to
> indicate otherwise. And is there NAT involved somewhere?
>
> > Is there a way to turn on more debug output? Or to determine WHY
> > pluto thinks that no connection exists?
>
> You should post your ipsec.conf.
>
> Jacco
> --
> Jacco de Leeuw mailto:jacco2 at dds.nl
> Zaandam, The Netherlands http://www.jacco2.dds.nl
>
More information about the Users
mailing list