[Openswan Users] decyphering "cannot respond to IPsec SA request"
Christian Brechbühler
brechbuehler at gmail.com
Thu Feb 16 14:03:31 CET 2006
On 2/16/06, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 16 Feb 2006, Christian Brechbühler wrote:
> > conn l2tp
> > right=%defaultroute
> > rightsubnet=10.0.0.0/24
>
> So in your case, rightsubnet is the "ofice network" behind the VPN gateway right?
Correct.
> You should NOT be specifying that if you are using L2TP, because you will do a host-host
> transmode tunnel, then get an IP from THAT subnet range. You are not building a
> host-subnet tunnel.
Doh! of course. I took out the "rightsubnet", and it works! Finally
pluto moves through the Quick states and establishes an IPsec SA.
> > left=%any
> This needs an leftsubnet=vhost:%priv,%no (or rather add two conns for them, see
> the openswan-2/examples/ files for l2tp configurations)
The two having protoport 17/1701 and 17/0, where the latter supports
non-updated Windows, right?
> > Feb 9 16:33:31 [pluto] "home"[1] 2.2.2.2 #1: cannot respond to IPsec
> > SA request because no connection is known for
> > 10.0.0.0/24===6.6.6.6[C=US, ST=Massachusetts, L=Boston,
> > O=EventMonitor, Inc., CN=lysithea-vpn,
> > E=brechbuehler at gmail.com]...2.2.2.2[C=US, ST=Massachusetts, L=Boston,
> > O=EventMonitor, Inc., CN=lithium,
> > E=brechbuehler at gmail.comm]===192.168.2.11/32
>
> So this "request" is most definately NOT an l2tp request, since it contains
> a /24 subnet....... So at this point I'm wondering what you are using on
> the Windows end?
You're right, it's not. This is from the parenthesis where I
addressed Jacco's suspicion about NAT, and not seeing the internal
host IP 192.168.2.60 -- I gave as a counterexample a message from
Linux/openswan on lithium (192.168.2.11), which I got to work from
behind the same router.
The pointer to /etc/ipsec.d/examples/l2tp*.conf was very useful too.
Once again, thank you so much to Paul and Jacco for all your help!
Christian
More information about the Users
mailing list