[Openswan Users] decyphering "cannot respond to IPsec SA request"

Christian Brechbühler brechbuehler at gmail.com
Thu Feb 16 11:28:34 CET 2006


Hi Paul,

Thanks for your help!  Jacco had suggested the same changes in a private mail.

Regarding auto: I've tried MANY different configurations, and had
several connections some conflicting.  I set auto=ignore, and then
manually ran "sudo ipsec auto --add l2tp".  A benefit is that ipsec
will point out any errors in the definition of the connection, with
the line number in ipsec.conf.

Thanks again
Christian

On 2/16/06, Paul Wouters <paul at xelerance.com> wrote:
> On Wed, 15 Feb 2006, Christian Brechbühler wrote:
>
> > config setup
> >     plutodebug="all"
> >     nat_traversal=yes
> >     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> >     interfaces=%defaultroute
> >
> > conn %default
> >     keyingtries=1
> >     compress=yes
> >     authby=rsasig
> >     leftrsasigkey=%cert
> >     rightrsasigkey=%cert
> >
> > conn l2tp
> >     rightprotoport=17/1701
> >     leftprotoport=17/1701
> >     pfs=no
> >     right=%defaultroute
> >     rightsubnet=10.0.0.0/24
>
> You need to exlucde 10.0.0.0/24 on your virtual_private line.
>
> >     rightcert=lysithea-vpn.pem
> >     left=%any
> >     auto=ignore
>
> auto=ignore means the connection isn't loaded. use auto=add
>
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > And here's what I find in the log:
> >
> > | The following messages are prefixed [pluto] "l2tp"[1] 2.2.2.2 #223:
> > |     responding to Main Mode from unknown peer 2.2.2.2
> > |     transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > |     STATE_MAIN_R1: sent MR1, expecting MI2
> > |     NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
> > peer is NATed
> > |     transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > |     STATE_MAIN_R2: sent MR2, expecting MI3
> > |     Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Massachusetts,
> > L=Boston, O=EventMonitor, Inc., CN=cindy, E=brechbuehler at gmail.com'
> > |
> > | And here it switches to "l2tp"[2]:
> > |     deleting connection "l2tp" instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0}
> > |     I am sending my cert
> > |     transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > |     STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
> > group=modp2048}
> > |     cannot respond to IPsec SA request because no connection is
> > known for 6.6.6.6[C=US, ST=Massachusetts, L=Boston, O=EventMonitor,
> > Inc., CN=lysithea-vpn,
> > E=brechbuehler at gmail.com]:17/1701...2.2.2.2[C=US, ST=Massachusetts,
> > L=Boston, O=EventMonitor, Inc., CN=cindy,
> > E=brechbuehler at gmail.com]:17/1701
> > |     sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:48336
> >
> > My questions: Why is no connection known?  How does one go about
> > debugging the configuration?
>
>


More information about the Users mailing list