[Openswan Users] FAQ, no connection is known for ...

Paul Wouters paul at xelerance.com
Wed Jul 18 22:14:33 EDT 2007 

On Wed, 18 Jul 2007, Roland Roberts wrote:

> >> Jul 18 16:18:09 tycho pluto[1410]: "rlent"[2] 208.54.65.47 #2: cannot
> >> respond to IPsec SA request because no connection is known for
> >> 192.168.3.0/24===216.254.78.84[@gw.astrofoto.org]...208.54.65.47[@aristarchus.rlent.pnet]===10.250.102.177/32

> > You didn't include your config setup part. Does it include 10.0.0.0/8 in virtual_private?
> > Does it have nat_traversal enabled?
> Sorry, the main config, in its entirety is:

> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=none
>         # plutodebug="control parsing"
>         nat_traversal=yes

> I don't know what virtual_private is :-(  I'm reading the
> README.NAT-Traversal and still don't understand it.  I've added the line
> to my ipsec.conf on the gateway; is that correct?

from man ipsec.conf:

virtual_private contains the networks that are allowed as subnet=
for the remote client. In other words, the address ranges  that
may live behind a NAT router through which a client connects. This
value is usually set to all the RFC-1918 address space, excluding the
space used in the local subnet behind the NAT (An IP address cannot
live at two places  at  once).  IPv4 address  ranges are denoted as
%v4:a.b.c.d/mm and IPv6 is denoted as %v6:aaaa::bbbb:cccc:dddd/mm. One
can exclude sub- nets by using the !. For example, if the VPN server
is giving access to 192.168.1.0/24, this option should be set  to:

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.1.0/24.

This parameter is only needed on the server side and not on the client
side that resides behind the NAT router, as the client will just use
its  IP address for the inner IP setting. This parameter may eventually
become per-connection.

> > Missing: rightsubnet=vhost:%priv,%no
> I've added this to the conf on the laptop, is that correct?

It needs to go on the server end.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list