[Openswan Users] cannot respond to IPsec SA request

Per Arnold Blåsmo pab at norbit.no
Thu Mar 23 11:51:30 CET 2006


Per Arnold Blåsmo wrote:
> Remko Muis wrote:
>> Hello,
>>
>> I have setup a VPN server in my home network, but when I try to make a
>> connection from a remote computer (both are behind a NAT), I receive the
>> following error messages in /var/log/secure:
>>
>> Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
>> of remote router] #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>> group=modp2048}
>> Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
>> of remote router] #1: cannot respond to IPsec SA request because no
>> connection is known for [External IP of my home network]/32===[Local IP
>> of my VPN server]:17/1701...[External IP of remote
>> router][@RemoteComputerName]:17/1701
>> Mar 21 12:18:36 Marnix pluto[25075]: "roadwarrior-l2tp"[2] [External IP
>> of remote router] #1: sending encrypted notification
>> INVALID_ID_INFORMATION to [External IP of remote router]:4500
>>
>> I think the appearance of my external IP (fixed IP from my ISP) with
>> subnet /32 is strange, I would expect the subnet of my home network
>> (which is 192.168.1.0/24) here. What am I doing wrong??
>>
> 
> Hi, I have the same error message as you.
> I have tried the answers to you post and several other configs, but
> nothing seems to help.
> 
> My setup is very much alike your, but I am using certificates to
> authenticate. Each side authenticates ok, but when the gateway tries to
> set up the connection, it fails with the same message "cannot respond..."
> 
> My server is running Fedora FC4 with kernel 2.6.15-1.1833_FC4smp,
> openswan-2.4.4-1.0.FC4.1 and ipsec-tools-0.5-4.
> 
> I have tried to search the net but have not found any help.
> 
> Her is some output from where it all fails:
> 
> Mar 22 12:47:35 netti pluto[6312]: |   fc_try trying
> roadwarrior:192.168.1.0/24:0/0 -> 10.0.0.0/24:0/0 vs
> roadwarrior-net:192.168.1.0/24:0/0 -> 0.0.0.0/32:0/0
> Mar 22 12:47:35 netti pluto[6312]: |   fc_try concluding with none [0]
> Mar 22 12:47:35 netti pluto[6312]: |   concluding with d = none
> Mar 22 12:47:35 netti pluto[6312]: "roadwarrior"[4] [myhome_ext_ip] #2:
> cannot respond to IPsec SA request because no connection is known for
> 192.168.1.0/24===[myoffice_ext_ip]...[myhome_ext_ip]===10.0.0.0/24
> Mar 22 12:47:35 netti pluto[6312]: | complete state transition with (null)
> Mar 22 12:47:35 netti pluto[6312]: "roadwarrior"[4] 62.16.171.91 #2:
> sending encrypted notification INVALID_ID_INFORMATION to [myhome_ext_ip]:500
> 
> 
> I do not understand all this, but maybe someone can help me?
> 
> Per A.
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 

I nailed it :-) An old mail in a mailing list got me testing it.
In my config file I had the line:
'rightsubnet=vhost:%no,%priv'

when I changed it to :
'rightsubnet=vnet:%no,%priv'

I got connected. I cant seem to find any documentation on this setting
thoug? Where is is documented?

Per A.



More information about the Users mailing list