[Openswan Users] strongswan behind NAT problem - L2TP/IPSEC - "cannot respond to IPsec SA request because no connection is known for"

Paul Wouters paul at xelerance.com
Thu Jul 12 10:22:21 EDT 2007 

On Thu, 12 Jul 2007, Andrew Lemin wrote:

> "rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: cannot respond to IPsec SA request because no connection is
> known for <SERVER-PUBLIC-IP>/32===192.168.214.2:4500[C=GB, ST=yorkshire, L =york, O=MCSLtd, OU=Support, CN=rt2.monitor.york_1,
> E=email at address.changed.com]:17/1701...<CLIENT-PUBLIC-IP>:4500[C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support, CN=andrew.lemin_1,
> E= email at address.changed.com]:17/%any
>
> "rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted notification INVALID_ID_INFORMATION to
> 88.96.19 3.65:4500

Could be a a bad/expired certificate. a rejected subjectAltname, or:

>
> Network Setup;
>
> RoadWarrior Client (clients can potentially have local nets in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Been testing with client
> in 192.168.200.0/24)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
roadwarrior's network

>     |
> <CLIENT-NAT-GW-IP>
> Client NAT Device
> <CLIENT-PUBLIC-IP>
>     |
> INTERNET
>     |
> <SERVER-PUBLIC-IP>
> Server Side NAT Device (Netgear FVX538)
> <192.168.214.1>
>     |
> <192.168.214.2>
> IPSec Server
> <192.168.200.15>
^^^^^^^^^^^^^^^^^^^^^^^^
servers's network

You cannot build a connection from 192.168.200.0/35 to 192.168.200.0/24

> LAN I WANT TO ALLOW ACCESS TO (192.168.200.0/24)

> config setup
>   plutodebug=control
> 	nat_traversal=yes

Where is the virtual_private= line (assuming this is the server (aka responder) config)

> conn rt2.monitor.york__GT__andrew.lemin_0
> 	auto=start
> 	authby=rsasig
> 	left=%defaultroute
> 	leftprotoport=17/1701
> 	leftrsasigkey=%cert
> 	leftcert=rt2.monitor.york_1.pem
> 	leftid=
> 	right=%any
> 	rightsubnetwithin=192.168.200.0/24
> 	rightrsasigkey=%cert
> 	rightid="/C=GB/ST=yorkshire/L=york/O=MCSLtd/OU=Support/CN=andrew.lemin_1/emailAddress=email at address.changed.com"
> 	rightprotoport=17/%any
> 	keylife=8h
> 	ikelifetime=1h
> 	pfs=no
> 	keyingtries=1
> 	ike=3des-md5-modp1024
> 	esp=3des-md5

auto=start with right=%any is not valid
auto=start without rekey=no causes problems
an empty leftid= is not wise, leave it out so it means the DN
don't use "subnetwithin" - it is obsoleted. Use rightsubnet=vhost:%priv,%no (and in fact,
the 192.168.200.0/24 needs to be EXCLUDED in virtual_private=
Try to avoid using %any in protoports, use 17/1701 (and upgrade all XP's before SP2 to SP2)

Paul

More information about the Users mailing list