[Openswan Users] decyphering "cannot respond to IPsec SA request"
Paul Wouters
paul at xelerance.com
Thu Feb 16 17:21:57 CET 2006
On Wed, 15 Feb 2006, Christian Brechbühler wrote:
> config setup
> plutodebug="all"
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> interfaces=%defaultroute
>
> conn %default
> keyingtries=1
> compress=yes
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn l2tp
> rightprotoport=17/1701
> leftprotoport=17/1701
> pfs=no
> right=%defaultroute
> rightsubnet=10.0.0.0/24
You need to exlucde 10.0.0.0/24 on your virtual_private line.
> rightcert=lysithea-vpn.pem
> left=%any
> auto=ignore
auto=ignore means the connection isn't loaded. use auto=add
> include /etc/ipsec.d/examples/no_oe.conf
>
> And here's what I find in the log:
>
> | The following messages are prefixed [pluto] "l2tp"[1] 2.2.2.2 #223:
> | responding to Main Mode from unknown peer 2.2.2.2
> | transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> | STATE_MAIN_R1: sent MR1, expecting MI2
> | NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
> peer is NATed
> | transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> | STATE_MAIN_R2: sent MR2, expecting MI3
> | Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Massachusetts,
> L=Boston, O=EventMonitor, Inc., CN=cindy, E=brechbuehler at gmail.com'
> |
> | And here it switches to "l2tp"[2]:
> | deleting connection "l2tp" instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0}
> | I am sending my cert
> | transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> | STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> | cannot respond to IPsec SA request because no connection is
> known for 6.6.6.6[C=US, ST=Massachusetts, L=Boston, O=EventMonitor,
> Inc., CN=lysithea-vpn,
> E=brechbuehler at gmail.com]:17/1701...2.2.2.2[C=US, ST=Massachusetts,
> L=Boston, O=EventMonitor, Inc., CN=cindy,
> E=brechbuehler at gmail.com]:17/1701
> | sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:48336
>
> My questions: Why is no connection known? How does one go about
> debugging the configuration?
More information about the Users
mailing list