[Openswan Users] decyphering "cannot respond to IPsec SA request"
Christian Brechbühler
brechbuehler at gmail.com
Thu Feb 16 11:28:34 CET 2006
Hi Paul,
Thanks for your help! Jacco had suggested the same changes in a private mail.
Regarding auto: I've tried MANY different configurations, and had
several connections some conflicting. I set auto=ignore, and then
manually ran "sudo ipsec auto --add l2tp". A benefit is that ipsec
will point out any errors in the definition of the connection, with
the line number in ipsec.conf.
Thanks again
Christian
On 2/16/06, Paul Wouters <paul at xelerance.com> wrote:
> On Wed, 15 Feb 2006, Christian Brechbühler wrote:
>
> > config setup
> > plutodebug="all"
> > nat_traversal=yes
> > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> > interfaces=%defaultroute
> >
> > conn %default
> > keyingtries=1
> > compress=yes
> > authby=rsasig
> > leftrsasigkey=%cert
> > rightrsasigkey=%cert
> >
> > conn l2tp
> > rightprotoport=17/1701
> > leftprotoport=17/1701
> > pfs=no
> > right=%defaultroute
> > rightsubnet=10.0.0.0/24
>
> You need to exlucde 10.0.0.0/24 on your virtual_private line.
>
> > rightcert=lysithea-vpn.pem
> > left=%any
> > auto=ignore
>
> auto=ignore means the connection isn't loaded. use auto=add
>
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > And here's what I find in the log:
> >
> > | The following messages are prefixed [pluto] "l2tp"[1] 2.2.2.2 #223:
> > | responding to Main Mode from unknown peer 2.2.2.2
> > | transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > | STATE_MAIN_R1: sent MR1, expecting MI2
> > | NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
> > peer is NATed
> > | transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > | STATE_MAIN_R2: sent MR2, expecting MI3
> > | Main mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=Massachusetts,
> > L=Boston, O=EventMonitor, Inc., CN=cindy, E=brechbuehler at gmail.com'
> > |
> > | And here it switches to "l2tp"[2]:
> > | deleting connection "l2tp" instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0}
> > | I am sending my cert
> > | transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > | STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
> > group=modp2048}
> > | cannot respond to IPsec SA request because no connection is
> > known for 6.6.6.6[C=US, ST=Massachusetts, L=Boston, O=EventMonitor,
> > Inc., CN=lysithea-vpn,
> > E=brechbuehler at gmail.com]:17/1701...2.2.2.2[C=US, ST=Massachusetts,
> > L=Boston, O=EventMonitor, Inc., CN=cindy,
> > E=brechbuehler at gmail.com]:17/1701
> > | sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:48336
> >
> > My questions: Why is no connection known? How does one go about
> > debugging the configuration?
>
>
More information about the Users
mailing list