[Openswan Users] decyphering "cannot respond to IPsec SA request"

Paul Wouters paul at xelerance.com
Thu Feb 16 17:21:57 CET 2006 

On Wed, 15 Feb 2006, Christian Brechbühler wrote:

> config setup
>     plutodebug="all"
>     nat_traversal=yes
>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>     interfaces=%defaultroute
>
> conn %default
>     keyingtries=1
>     compress=yes
>     authby=rsasig
>     leftrsasigkey=%cert
>     rightrsasigkey=%cert
>
> conn l2tp
>     rightprotoport=17/1701
>     leftprotoport=17/1701
>     pfs=no
>     right=%defaultroute
>     rightsubnet=10.0.0.0/24

You need to exlucde 10.0.0.0/24 on your virtual_private line.

>     rightcert=lysithea-vpn.pem
>     left=%any
>     auto=ignore

auto=ignore means the connection isn't loaded. use auto=add

> include /etc/ipsec.d/examples/no_oe.conf
>
> And here's what I find in the log:
>
> | The following messages are prefixed [pluto] "l2tp"[1] 2.2.2.2 #223:
> |     responding to Main Mode from unknown peer 2.2.2.2
> |     transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> |     STATE_MAIN_R1: sent MR1, expecting MI2
> |     NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
> peer is NATed
> |     transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> |     STATE_MAIN_R2: sent MR2, expecting MI3
> |     Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Massachusetts,
> L=Boston, O=EventMonitor, Inc., CN=cindy, E=brechbuehler at gmail.com'
> |
> | And here it switches to "l2tp"[2]:
> |     deleting connection "l2tp" instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0}
> |     I am sending my cert
> |     transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> |     STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> |     cannot respond to IPsec SA request because no connection is
> known for 6.6.6.6[C=US, ST=Massachusetts, L=Boston, O=EventMonitor,
> Inc., CN=lysithea-vpn,
> E=brechbuehler at gmail.com]:17/1701...2.2.2.2[C=US, ST=Massachusetts,
> L=Boston, O=EventMonitor, Inc., CN=cindy,
> E=brechbuehler at gmail.com]:17/1701
> |     sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:48336
>
> My questions: Why is no connection known?  How does one go about
> debugging the configuration?

More information about the Users mailing list