[Openswan Users] cannot respond to IPsec SA request because no connection is known for

Michael Sund sundlunchbox at gmail.com
Wed Sep 24 09:31:58 EDT 2008 

Hello!

Ive been trying to set up a vpn server to connect my ipod touch with.
Im new to the linux vpn scene and please correct me if im totally wrong 
at any point.
The following setup is my small home network.

        Ipod with vpn > Internet < Dsl-modem > Opensuse 11.0 Gateway 
(with openswan) < Nated  Workstation
Ip's   85.224.X.X                                             eth0 
85.224.Y.Y        eth1 13.37.0.1/24       eth0 13.37.0.2/24

The goal is to be able to send all my traffic to my home gateway and be 
able to access the 13.37.0.0 network.
Ive read lots of threads and mailinglists about this and as far as ive 
understood i need a virtual network to assign the 85.224.X.X host to, 
like 192.168.10.1 or something similar, this is one of the things that 
im not very sure of how to  implement in the config.
The addresses and nets in general being assigned to left and right stuff 
is confusing , but left being local addresses and right beoing my 
gateway's ip towards the isp should be correct?

Ive gotten to the point where the connection is established and the 
passphrase accepted, but the routes seem to be messed up.

pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: responding to Main Mode 
from unknown peer 85.224.X.X
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: STATE_MAIN_R1: sent MR1, 
expecting MI2
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: STATE_MAIN_R2: sent MR2, 
expecting MI3
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: Main mode peer ID is 
ID_IPV4_ADDR: '85.224.X.X'
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: request to delete a 
unrouted policy with netkey kernel --- experimental
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: ignoring informational 
payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: received and ignored 
informational message
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: the peer proposed: 
85.224.Y.Y/32:17/1701 -> 85.224.X.X/32:17/0
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: cannot respond to IPsec 
SA request because no connection is known for 
85.224.Y.Y[+S=C]:17/1701...85.224.X.X[+S=C]:17/49236
pluto[13910]: "L2TP-PSK-NAT"[1] 85.224.X.X #1: sending encrypted 
notification INVALID_ID_INFORMATION to 85.224.X.X:500

Trying to translate the output, i would guess that the incoming 
connection is being accepted but the packets cant be routed longer than 
to my interface towards the isp, being 85.224.Y.Y, might be totally 
wrong but thats how ive translated it.

my current config listed below is a sampleconfig from 
/etc/ipsec.d/examples/l2tp-psk with some changes.

config setup
    protostack=netkey
    uniqueids=yes

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    #
    # Configuration for one user with any type of IPsec/L2TP client
    # including the updated Windows 2000/XP (MS KB Q818043), but
    # excluding the non-updated Windows 2000/XP.
    #
    #
    # Use a Preshared Key. Disable Perfect Forward Secrecy.
    #
    # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
    # YourIPAddress     %any: "sharedsecret"
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    # we cannot rekey for %any, let client rekey
    rekey=no
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    # l2tp-over-ipsec is transport mode
    type=transport
    #
    left=%defaultroute
    #
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/1701
    #
    # The remote user.
    #
    right=%any
    # Using the magic port of "0" means "any one single port". This is
    # a work around required for Apple OSX clients that use a randomly
    # high port, but propose "0" instead of their port.
    rightprotoport=17/0

# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg 
ssh)
# will match this passthrough conn.
conn passthrough-for-non-l2tp
        type=passthrough
        left=85.224.Y.Y
        leftnexthop=%defaultroute
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

conn ipod
     authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
    rightsubnet=192.168.10.1/255.255.255.255

conn ipod-net
    leftsubnet=13.37.0.0/255.255.255.0
    rightsubnet=192.168.10.1/255.255.255.255

All tips and help is very appriciated!
Cheers!

More information about the Users mailing list