[Openswan Users] decyphering "cannot respond to IPsec SA request"
Paul Wouters
paul at xelerance.com
Thu Feb 16 18:15:26 CET 2006
On Thu, 16 Feb 2006, Christian Brechbühler wrote:
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
> interfaces=%defaultroute
> conn l2tp
> rightprotoport=17/1701
> leftprotoport=17/1701
> pfs=no
> right=%defaultroute
> rightsubnet=10.0.0.0/24
So in your case, rightsubnet is the "ofice network" behind the VPN gateway right? You
should NOT be specifying that if you are using L2TP, because you will do a host-host
transmode tunnel, then get an IP from THAT subnet range. You are not building a
host-subnet tunnel.
> left=%any
> auto=add
This needs an leftsubnet=vhost:%priv,%no (or rather add two conns for them, see
the openswan-2/examples/ files for l2tp configurations)
And again, switch left/right if this doesn't help.
> Feb 9 16:33:31 [pluto] "home"[1] 2.2.2.2 #1: cannot respond to IPsec
> SA request because no connection is known for
> 10.0.0.0/24===6.6.6.6[C=US, ST=Massachusetts, L=Boston,
> O=EventMonitor, Inc., CN=lysithea-vpn,
> E=brechbuehler at gmail.com]...2.2.2.2[C=US, ST=Massachusetts, L=Boston,
> O=EventMonitor, Inc., CN=lithium,
> E=brechbuehler at gmail.comm]===192.168.2.11/32
So this "request" is most definately NOT an l2tp request, since it contains
a /24 subnet....... So at this point I'm wondering what you are using on
the Windows end?
Paul
--
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
More information about the Users
mailing list