[Openswan Users] XP ok but Vista - cannot respond to IPsec SA request because no connection is known for

Tom Robinson tom at constantstream.com
Wed Apr 11 14:23:30 EDT 2007 

Hi All,

Openswan IPsec U1.0.10/K1.0.10rc2
IPCOP 1.4.11 with l2tpd

The version is quite old, I know, but I'm seeking some help with creating a new 
VPN connection on IPCop with NAT and L2TP.

There is already one VPN configured for 'roadwarrior' connections that has been 
working for a couple of years with W2K and XP. We recently got a Vista installed 
laptop but I can't get a VPN connection with it.

The error is:

Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[366] x.x.x.x:4500 #15341: 
cannot respond to IPsec SA request because no connection is known for 
w.w.w.w:4500[C=YY, ST=YY, O=YY, OU=YY, CN=YY]:17/1701...x.x.x.x:4500[C=YY, 
ST=YY, O='YY', OU=YY, CN=YY]:17/1701===z.z.z.z/32

The VPN continues to work with W2K and XP.

I thought maybe it's something to do with the NAT-T. Vista uses RFC 3947 but XP 
uses draft-ietf-ipsec-nat-t-ike-02_n.

Any clues about this would be appreciated.

Thanks.

Tom

Logging a successful connection via W2K/XP:
Apr 10 10:51:00 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 10 10:51:00 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [FRAGMENTATION]
Apr 10 10:51:00 ipcop pluto[583]: packet from x.x.x.x:500: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02_n]
Apr 10 10:51:00 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [26244d38eddb61b3172a36e3d0cfb819]
Apr 10 10:51:00 ipcop pluto[583]: "roadwarriors"[363] x.x.x.x #15339: responding 
to Main Mode from unknown peer x.x.x.x
Apr 10 10:51:00 ipcop pluto[583]: "roadwarriors"[363] x.x.x.x #15339: transition 
from state (null) to state STATE_MAIN_R1
Apr 10 10:51:00 ipcop pluto[583]: "roadwarriors"[363] x.x.x.x #15339: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[363] x.x.x.x #15339: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[363] x.x.x.x #15339: Main mode 
peer ID is ID_DER_ASN1_DN: 'C=YY, ST=YY, O='YY', OU=YY, CN=YY'
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[363] x.x.x.x #15339: crl update 
is overdue since Nov 05 17:39:42 UTC 2006
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[363] x.x.x.x #15339: crl update 
is overdue since Nov 05 17:39:42 UTC 2006
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[364] x.x.x.x #15339: deleting 
connection "roadwarriors" instance with peer x.x.x.x
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[364] x.x.x.x #15339: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 10 10:51:01 ipcop pluto[583]: | NAT-T: new mapping x.x.x.x:500/4500)
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[364] x.x.x.x:4500 #15339: sent 
MR3, ISAKMP SA established
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[364] x.x.x.x:4500 #15340: 
responding to Quick Mode
Apr 10 10:51:01 ipcop pluto[583]: "roadwarriors"[364] x.x.x.x:4500 #15340: 
transition from state (null) to state STATE_QUICK_R1
Apr 10 10:51:01 ipcop l2tpd[664]: ourtid = 18275, entropy_buf = 4763

Loggin a failed connection via Vista:
Apr 10 11:40:53 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [MS NT5 ISAKMPOAKLEY 00000005]
Apr 10 11:40:53 ipcop pluto[583]: packet from x.x.x.x:500: received Vendor ID 
payload [RFC 3947]
Apr 10 11:40:53 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02_n]
Apr 10 11:40:53 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [FRAGMENTATION]
Apr 10 11:40:53 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [fb1de3cdf341b7ea16b7e5be0855f120]
Apr 10 11:40:53 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [26244d38eddb61b3172a36e3d0cfb819]
Apr 10 11:40:53 ipcop pluto[583]: packet from x.x.x.x:500: ignoring Vendor ID 
payload [e3a5966a76379fe707228231e5ce8652]
Apr 10 11:40:53 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: responding 
to Main Mode from unknown peer x.x.x.x
Apr 10 11:40:53 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: only 
OAKLEY_GROUP_MODP768,1024,1536,2048,3072,4096,6144,8192 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
Apr 10 11:40:53 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: only 
OAKLEY_GROUP_MODP768,1024,1536,2048,3072,4096,6144,8192 supported.  Attribute 
OAKLEY_GROUP_DESCRIPTION
Apr 10 11:40:53 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: transition 
from state (null) to state STATE_MAIN_R1
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: 
NAT-Traversal: Result using RFC 3947: peer is NATed
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: Main mode 
peer ID is ID_DER_ASN1_DN: 'C=YY, ST=YY, O='YY', OU=YY, CN=YY'
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: crl update 
is overdue since Nov 05 17:39:42 UTC 2006
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[365] x.x.x.x #15341: crl update 
is overdue since Nov 05 17:39:42 UTC 2006
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[366] x.x.x.x #15341: deleting 
connection "roadwarriors" instance with peer x.x.x.x
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[366] x.x.x.x #15341: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 10 11:40:54 ipcop pluto[583]: | NAT-T: new mapping x.x.x.x:500/4500)
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[366] x.x.x.x:4500 #15341: sent 
MR3, ISAKMP SA established
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[366] x.x.x.x:4500 #15341: 
cannot respond to IPsec SA request because no connection is known for 
w.w.w.w:4500[C=YY, ST=YY, O=YY, OU=YY, CN=YY]:17/1701...x.x.x.x:4500[C=YY, 
ST=YY, O='YY', OU=YY, CN=YY]:17/1701===z.z.z.z/32
Apr 10 11:40:54 ipcop pluto[583]: "roadwarriors"[366] x.x.x.x:4500 #15341: 
sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500

config setup
         interfaces=%defaultroute
         klipsdebug="none"
         plutodebug="control"
         plutoload=%search
         plutostart=%search
         uniqueids=yes
         nat_traversal=yes 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/255.255.255.0

conn %default
         keyingtries=0
         disablearrivalcheck=no

conn roadwarriors
         left=w.w.w.w
         leftnexthop=%defaultroute
         leftprotoport=17/1701
         leftcert=/var/ipcop/certs/hostcert.pem
         right=%any
         rightrsasigkey=%cert
         rightprotoport=17/1701
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         pfs=no
         authby=rsasig
         auto=add

More information about the Users mailing list