[Openswan Users] FW: strongswan behind NAT problem - L2TP/IPSEC - "cannot respond to IPsec SA request because no connection is known for"

Paul Wouters paul at xelerance.com
Fri Jul 13 12:12:37 EDT 2007


On Fri, 13 Jul 2007, Andrew Lemin wrote:

> In addition to the below, late last night during a mild epiphany I added 'leftsubnet=<SERVER-PUBLIC-IP>/32' to my ipsec.conf in
> addition to the kind suggestions from Paul.
> This seemded to work!!! I no longer get the error 'cannot respond to IPsec SA request because no connection is .....

That is using the virtual_private/nat_traversal code wrongly. Is the server
behind NAT?

> packet from <CLIENT-PUBLIC-IP>:500: ignoring Vendor ID payload [MS NT5 I SAKMPOAKLEY 00000004]
> IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= <CLIENT-PUBLIC-IP> DST=192.168.214.2 LEN=340 TOS=0x00 PREC=0x00 T
> TL=121 ID=38356 PROTO=UDP SPT=500 DPT=500 LEN=320

Your firewall is (some?) dropping IKE packets.

> IN=eth2 OUT= MAC=00:0d:88:cc:ff:5d:00:14:6c:84:f2:df:08:00 SRC= <CLIENT-PUBLIC-IP> DST=192.168.214.2 LEN=1436 TOS=0x00 PREC=0x00
> TTL=121 ID=38361 PROTO=UDP SPT=4500 DPT=4500 LEN=1416

And Epcasulated IPsec packets in udp 4500.

> "rt2.monitor.york__GT__andrew.lemin_0"[1] <CLIENT-PUBLIC-IP>:4500 #1: ig noring informational payload, type INVALID_HASH_INFORMATION

I've never seen this error. See if it goes away if you fix your firewall.

Paul


More information about the Users mailing list