[Openswan Users] cannot respond to IPsec SA request

Paul Wouters paul at xelerance.com
Tue Mar 21 17:07:41 CET 2006 

On Tue, 21 Mar 2006, Remko Muis wrote:

> Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
> of remote router] #1: cannot respond to IPsec SA request because no
> connection is known for [External IP of my home network]/32===[Local IP
> of my VPN server]:17/1701...[External IP of remote
> router][@RemoteComputerName]:17/1701

> version 2.0
> config setup
>       interfaces=%defaultroute
>       klipsdebug=none
>       plutodebug=none
>       overridemtu=1410
>       nat_traversal=yes
>       virtual_private=%v4:10.0.0.0/8,%172.16.0.0/12,%v4:192.168.0.0/16

You need to add exclusion to 192.168.0.0/24

> conn roadwarrior-net
>       leftsubnet=192.168.0.0/24
>       also=roadwarrior
>
> conn roadwarrior-all
>       leftsubnet=0.0.0.0/0
>       also=roadwarrior
>
> conn roadwarrior-l2tp
>       leftprotoport=17/0
>       rightprotoport=17/1701
>       also=roadwarrior
>
> conn roadwarrior-l2tp-updatedwin
>       leftprotoport=17/1701
>       rightprotoport=17/1701
>       also=roadwarrior

You cannot do this unfortunately. You have too many connections that cannot
be distinguished. My recommendations:

1) either use normal VPN tunnels, or use L2TP tunnels, not both. So use
"roadwarrior-net" and "roadwarrior-all" OR "roadwarrior-l2tp" and
"roadwarrior-l2tp-updatedwin", not both

2) remove "roadwarrior-l2tp" and only use "roadwarrior-l2tp-updatedwin".
   so that these dont confuse either. Any windows that is not yet updated,
   is a machine you do NOT want on your internal network anyway.

> conn roadwarrior
>       pfs=no
>       left=192.168.1.52
>       leftnexthop=192.168.1.1

Since you are behind NAT, you might need to set a leftid=@string. I never
tried using openswan with portforwards behind nat. It might also still need
a patch. See jacco's page to be sure.

> By the way, Nasim Mansurov's great howto tells me I should open port 4500
> not only for UDP, but also for TCP, whereas others do not mention TCP on
> 4500 at all. Who is right here?

UDP port 500 and UDP port 4500. No TCP.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list