[Openswan Users] cannot respond to IPsec SA request

Per Arnold Blåsmo pab at norbit.no
Wed Mar 22 15:00:56 CET 2006


Remko Muis wrote:
> Hello,
> 
> I have setup a VPN server in my home network, but when I try to make a
> connection from a remote computer (both are behind a NAT), I receive the
> following error messages in /var/log/secure:
> 
> Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
> of remote router] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
> of remote router] #1: cannot respond to IPsec SA request because no
> connection is known for [External IP of my home network]/32===[Local IP
> of my VPN server]:17/1701...[External IP of remote
> router][@RemoteComputerName]:17/1701
> Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
> of remote router] #1: sending encrypted notification
> INVALID_ID_INFORMATION to [External IP of remote router]:4500
> 
> I think the appearance of my external IP (fixed IP from my ISP) with
> subnet /32 is strange, I would expect the subnet of my home network
> (which is 192.168.1.0/24) here. What am I doing wrong??
> 

Hi, I have the same error message as you.
I have tried the answers to you post and several other configs, but
nothing seems to help.

My setup is very much alike your, but I am using certificates to
authenticate. Each side authenticates ok, but when the gateway tries to
set up the connection, it fails with the same message "cannot respond..."

My server is running Fedora FC4 with kernel 2.6.15-1.1833_FC4smp,
openswan-2.4.4-1.0.FC4.1 and ipsec-tools-0.5-4.

I have tried to search the net but have not found any help.

Her is some output from where it all fails:

Mar 22 12:47:35 netti pluto[6312]: |   fc_try trying
roadwarrior:192.168.1.0/24:0/0 -> 10.0.0.0/24:0/0 vs
roadwarrior-net:192.168.1.0/24:0/0 -> 0.0.0.0/32:0/0
Mar 22 12:47:35 netti pluto[6312]: |   fc_try concluding with none [0]
Mar 22 12:47:35 netti pluto[6312]: |   concluding with d = none
Mar 22 12:47:35 netti pluto[6312]: "roadwarrior"[4] [myhome_ext_ip] #2:
cannot respond to IPsec SA request because no connection is known for
192.168.1.0/24===[myoffice_ext_ip]...[myhome_ext_ip]===10.0.0.0/24
Mar 22 12:47:35 netti pluto[6312]: | complete state transition with (null)
Mar 22 12:47:35 netti pluto[6312]: "roadwarrior"[4] 62.16.171.91 #2:
sending encrypted notification INVALID_ID_INFORMATION to [myhome_ext_ip]:500


I do not understand all this, but maybe someone can help me?

Per A.



More information about the Users mailing list