[Openswan Users] decyphering "cannot respond to IPsec SA request"

Christian Brechbühler brechbuehler at gmail.com
Thu Feb 16 14:03:31 CET 2006


On 2/16/06, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 16 Feb 2006, Christian Brechbühler wrote:
> > conn l2tp
> >     right=%defaultroute
> >     rightsubnet=10.0.0.0/24
>
> So in your case, rightsubnet is the "ofice network" behind the VPN gateway right?

Correct.

> You should NOT be specifying that if you are using L2TP, because you will do a host-host
> transmode tunnel, then get an IP from THAT subnet range. You are not building a
> host-subnet tunnel.

Doh! of course.  I took out the "rightsubnet", and it works!  Finally
pluto moves through the Quick states and establishes an IPsec SA.

> >     left=%any
> This needs an leftsubnet=vhost:%priv,%no (or rather add two conns for them, see
> the openswan-2/examples/ files for l2tp configurations)

The two having protoport 17/1701 and 17/0, where the latter supports
non-updated Windows, right?

> > Feb  9 16:33:31 [pluto] "home"[1] 2.2.2.2 #1: cannot respond to IPsec
> > SA request because no connection is known for
> > 10.0.0.0/24===6.6.6.6[C=US, ST=Massachusetts, L=Boston,
> > O=EventMonitor, Inc., CN=lysithea-vpn,
> > E=brechbuehler at gmail.com]...2.2.2.2[C=US, ST=Massachusetts, L=Boston,
> > O=EventMonitor, Inc., CN=lithium,
> > E=brechbuehler at gmail.comm]===192.168.2.11/32
>
> So this "request" is most definately NOT an l2tp request, since it contains
> a /24 subnet....... So at this point I'm wondering what you are using on
> the Windows end?

You're right, it's not.  This is from the parenthesis where I
addressed Jacco's suspicion about NAT, and not seeing the internal
host IP 192.168.2.60 -- I gave as a counterexample a message from
Linux/openswan on lithium (192.168.2.11), which I got to work from
behind the same router.

The pointer to /etc/ipsec.d/examples/l2tp*.conf was very useful too.

Once again, thank you so much to Paul and Jacco for all your help!

Christian


More information about the Users mailing list