[Openswan Users] FW: strongswan behind NAT problem - L2TP/IPSEC - "cannot respond to IPsec SA request because no connection is known for"

Andrew Lemin andrew.lemin at monitorsoft.com
Fri Jul 13 07:12:01 EDT 2007 

List,

In addition to the below, late last night during a mild epiphany I added 'leftsubnet=<SERVER-PUBLIC-IP>/32' to my ipsec.conf in
addition to the kind suggestions from Paul.
This seemded to work!!! I no longer get the error 'cannot respond to IPsec SA request because no connection is .....

However... :o( I now get the following;

packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [MS NT5 I SAKMPOAKLEY 00000004]
IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= <CLIENT-PUBLIC-IP> DST=192.168.214.2 LEN=340 TOS=0x00 PREC=0x00 T
TL=121 ID=38356 PROTO=UDP SPT=500 DPT=500 LEN=320
packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [FRAGME NTATION]
packet from <CLIENT-PUBLIC-IP>:500: received Vendor ID payload [draft-iet f-ipsec-nat-t-ike-02_n]
packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [Vid-Initia l-Contact]
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: respon ding to Main Mode from unknown peer <CLIENT-PUBLIC-IP>
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: NAT-T raversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both
are NATe d
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: Peer ID is ID_DER_ASN1_DN: 'C=GB, ST=yorkshire, L=york, O=MCSLtd,
OU= Support, CN=andrew.lemin_1, E=email at address.changed.com'
IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= <CLIENT-PUBLIC-IP> DST=192.168.214.2 LEN=1436 TOS=0x00 PREC=0x00
TTL=121 ID=38361 PROTO=UDP SPT=4500 DPT=4500 LEN=1416
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP> #1: we ha ve a cert and are sending it
| NAT-T: new mapping <CLIENT-PUBLIC-IP>:500/4500)
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ent MR3, ISAKMP SA established
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #2: r esponding to Quick Mode
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: ig noring informational payload, type INVALID_HASH_INFORMATION
"rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: r eceived Delete SA payload: deleting ISAKMP State #1
IN=eth7 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:6e:d0:a7:9e:08:00 SRC=192 .168.200.54 DST=192.168.200.255 LEN=78 TOS=0x00 PREC=0x00 T
TL=128 ID=3354 PROTO=UDP SPT=137 DPT=137 LEN=58

-I get no more than this and on the WinXP SP2 client I get;

"Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations
with the remote computer."


Thank you everyone. I am sorry if my threads are not matching up. I'm new to this list method. Sorry!

Andy

>Paul,

>Thank you for your comments :o)
>I have made some changes but I am still having the same error;


>Ipsec.conf;

>version 2
>conn block
>	auto=ignore
>
>conn private
>	auto=ignore
>
>conn clear
>	auto=ignore
>
>conn packetdefault
>	auto=ignore
>
>conn private-or-clear
>	auto=ignore
>
>conn clear-or-private
>	auto=ignore
>
>config setup
>  plutodebug=control
>	nat_traversal=yes
>	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.214.0/24,%v4:!192.168.200.0/24

>conn rt2.monitor.york__GT__andrew.lemin_0
>	auto=add
>	authby=rsasig
>	left=%defaultroute
>	leftprotoport=17/1701
>	leftrsasigkey=%cert
>	leftcert=rt2.monitor.york_1.pem
>	right=%any
>	rightsubnet=vhost:%priv,%no
>	rightrsasigkey=%cert
>	rightid="/C=GB/ST=yorkshire/L=york/O=MCSLtd/OU=Support/CN=andrew.lemin_1/emailAddress=email at a>ddress.changed.com"
>	rightprotoport=17/1701
>	keylife=8h
>	ikelifetime=1h
>	pfs=no
>	keyingtries=1
>	ike=3des-md5-modp1024
>	esp=3des-md5



>Based on your comment that I should not be trying to connect from 192.168.200.X/32 to >192.168.200.0/24, I have changed my
l2tp.conf file to;


>[global]

>[lns default]
>ip range = 192.168.214.201-192.168.214.215
>local ip = 192.168.214.200
>require chap = yes
>refuse pap = yes
>require authentication = yes
>name = SecurepointL2TP
>pppoptfile = /etc/ppp/options.l2tp
>length bit = yes


>Thus the data path now looks like:

> RoadWarrior Client (clients can potentially have local nets in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Been testing with client
in 192.168.200.0/24)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
roadwarrior's network
>     |
> <CLIENT-NAT-GW-IP>
> Client NAT Device
> <CLIENT-PUBLIC-IP>
>     |
> INTERNET
>     |
> <SERVER-PUBLIC-IP>
> Server Side NAT Device (Netgear FVX538)
> <192.168.214.1>
>     |
> <192.168.214.2> ------- <servers's network (192.168.214.0/24) >
>  IPSec Server


>My understanding is that with L2TP/IPSec, the IPSec tunnel should be setup just point to point (/32 <-> /32). And then L2TP is
tunneled through this which deals with getting packets onto the desired subnet.

>Thank you,
>Andy

>How do I post my reply into the list? Am I right to bcc this to the list address too and will it >pick up the thread from the
subject?

>Thanks again and sorry for the noob questions :o)



-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 12 July 2007 15:22
To: Andrew Lemin
Cc: users at openswan.org
Subject: Re: [Openswan Users] strongswan behind NAT problem - L2TP/IPSEC - "cannot respond to IPsec SA request because no connection
is known for"


On Thu, 12 Jul 2007, Andrew Lemin wrote:

> "rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: cannot respond to IPsec SA request because no connection is
> known for <SERVER-PUBLIC-IP>/32===192.168.214.2:4500[C=GB, ST=yorkshire, L =york, O=MCSLtd, OU=Support, CN=rt2.monitor.york_1,
> E=email at address.changed.com]:17/1701...<CLIENT-PUBLIC-IP>:4500[C=GB, ST=yorkshire, L=york, O=MCSLtd, OU=Support,
CN=andrew.lemin_1,
> E= email at address.changed.com]:17/%any
>
> "rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: s ending encrypted notification INVALID_ID_INFORMATION to
> 88.96.19 3.65:4500

Could be a a bad/expired certificate. a rejected subjectAltname, or:

>
> Network Setup;
>
> RoadWarrior Client (clients can potentially have local nets in 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Been testing with client
> in 192.168.200.0/24)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
roadwarrior's network

>     |
> <CLIENT-NAT-GW-IP>
> Client NAT Device
> <CLIENT-PUBLIC-IP>
>     |
> INTERNET
>     |
> <SERVER-PUBLIC-IP>
> Server Side NAT Device (Netgear FVX538)
> <192.168.214.1>
>     |
> <192.168.214.2>
> IPSec Server
> <192.168.200.15>
^^^^^^^^^^^^^^^^^^^^^^^^
servers's network

You cannot build a connection from 192.168.200.0/35 to 192.168.200.0/24

> LAN I WANT TO ALLOW ACCESS TO (192.168.200.0/24)

> config setup
>   plutodebug=control
> 	nat_traversal=yes

Where is the virtual_private= line (assuming this is the server (aka responder) config)

> conn rt2.monitor.york__GT__andrew.lemin_0
> 	auto=start
> 	authby=rsasig
> 	left=%defaultroute
> 	leftprotoport=17/1701
> 	leftrsasigkey=%cert
> 	leftcert=rt2.monitor.york_1.pem
> 	leftid=
> 	right=%any
> 	rightsubnetwithin=192.168.200.0/24
> 	rightrsasigkey=%cert
> 	rightid="/C=GB/ST=yorkshire/L=york/O=MCSLtd/OU=Support/CN=andrew.lemin_1/emailAddress=email at address.changed.com"
> 	rightprotoport=17/%any
> 	keylife=8h
> 	ikelifetime=1h
> 	pfs=no
> 	keyingtries=1
> 	ike=3des-md5-modp1024
> 	esp=3des-md5

auto=start with right=%any is not valid
auto=start without rekey=no causes problems
an empty leftid= is not wise, leave it out so it means the DN
don't use "subnetwithin" - it is obsoleted. Use rightsubnet=vhost:%priv,%no (and in fact,
the 192.168.200.0/24 needs to be EXCLUDED in virtual_private=
Try to avoid using %any in protoports, use 17/1701 (and upgrade all XP's before SP2 to SP2)

Paul

More information about the Users mailing list