[Openswan Users] decyphering "cannot respond to IPsec SA request"

Paul Wouters paul at xelerance.com
Thu Feb 16 18:15:26 CET 2006


On Thu, 16 Feb 2006, Christian Brechbühler wrote:

> version 2.0     # conforms to second version of ipsec.conf specification
>
> config setup
>     nat_traversal=yes
>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
>     interfaces=%defaultroute

> conn l2tp
>     rightprotoport=17/1701
>     leftprotoport=17/1701
>     pfs=no
>     right=%defaultroute
>     rightsubnet=10.0.0.0/24

So in your case, rightsubnet is the "ofice network" behind the VPN gateway right? You
should NOT be specifying that if you are using L2TP, because you will do a host-host
transmode tunnel, then get an IP from THAT subnet range. You are not building a
host-subnet tunnel.


>     left=%any
>     auto=add

This needs an leftsubnet=vhost:%priv,%no (or rather add two conns for them, see
the openswan-2/examples/ files for l2tp configurations)

And again, switch left/right if this doesn't help.

> Feb  9 16:33:31 [pluto] "home"[1] 2.2.2.2 #1: cannot respond to IPsec
> SA request because no connection is known for
> 10.0.0.0/24===6.6.6.6[C=US, ST=Massachusetts, L=Boston,
> O=EventMonitor, Inc., CN=lysithea-vpn,
> E=brechbuehler at gmail.com]...2.2.2.2[C=US, ST=Massachusetts, L=Boston,
> O=EventMonitor, Inc., CN=lithium,
> E=brechbuehler at gmail.comm]===192.168.2.11/32

So this "request" is most definately NOT an l2tp request, since it contains
a /24 subnet....... So at this point I'm wondering what you are using on
the Windows end?

Paul
-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)


More information about the Users mailing list