[Openswan Users] FAQ, no connection is known for ...
paul at xelerance.com
Wed Jul 18 22:14:33 EDT 2007
On Wed, 18 Jul 2007, Roland Roberts wrote:
> >> Jul 18 16:18:09 tycho pluto: "rlent" 220.127.116.11 #2: cannot
> >> respond to IPsec SA request because no connection is known for
> >> 192.168.3.0/24===18.104.22.168[@gw.astrofoto.org]...22.214.171.124[@aristarchus.rlent.pnet]===10.250.102.177/32
> > You didn't include your config setup part. Does it include 10.0.0.0/8 in virtual_private?
> > Does it have nat_traversal enabled?
> Sorry, the main config, in its entirety is:
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> I don't know what virtual_private is :-( I'm reading the
> README.NAT-Traversal and still don't understand it. I've added the line
> to my ipsec.conf on the gateway; is that correct?
from man ipsec.conf:
virtual_private contains the networks that are allowed as subnet=
for the remote client. In other words, the address ranges that
may live behind a NAT router through which a client connects. This
value is usually set to all the RFC-1918 address space, excluding the
space used in the local subnet behind the NAT (An IP address cannot
live at two places at once). IPv4 address ranges are denoted as
%v4:a.b.c.d/mm and IPv6 is denoted as %v6:aaaa::bbbb:cccc:dddd/mm. One
can exclude sub- nets by using the !. For example, if the VPN server
is giving access to 192.168.1.0/24, this option should be set to:
This parameter is only needed on the server side and not on the client
side that resides behind the NAT router, as the client will just use
its IP address for the inner IP setting. This parameter may eventually
> > Missing: rightsubnet=vhost:%priv,%no
> I've added this to the conf on the laptop, is that correct?
It needs to go on the server end.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users