[Openswan Users] cannot respond to IPsec SA request because no connection is known for
andrew colin
andrew.colin at gmail.com
Thu Mar 19 03:36:52 EDT 2009
I think you do not have nat traversal enabled that is why.
On Thu, Mar 19, 2009 at 5:54 AM, Janantha Marasinghe
<janantha at techcert.lk> wrote:
> Dear All,
>
> Currently I'm trying to connect to my openswan server. My network setup
> is given below. When I try to connect using a fully up to date SP3
> Windows XP system .. I see the following error in the vpn server's
> secure log
>
> Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: cannot respond to IPsec SA request because no
> connection is known for
> vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computername-37a9ea,+S=C]:17/1701===172.16.0.9/32
> Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: sending encrypted notification
> INVALID_ID_INFORMATION to roadwarrior-routerip:4500
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: peer client type is FQDN
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: Applying workaround for MS-818043 NAT-T bug
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: IDci was FQDN: \300\370\010k, using
> NAT_OA=172.16.0.9/32 as IDci
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: the peer proposed: vpn.server.ip/32:17/1701 ->
> 172.16.0.9/32:17/1701
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: cannot respond to IPsec SA request because no
> connection is known for
> vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computer-37a9ea,+S=C]:17/1701===172.16.0.9/32
>
>
> private network
> 172.16.0.0/255.255.255.240 --> ADSL Router(NAT enabled)
> ---------Internet--------------OpenswanVPN(Public IP Address)
>
> My IPsec.conf is
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual: ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> protostack=netkey
>
> conn L2TP-PSK
> #
> authby=secret
> pfs=no
> rekey=no
> keyingtries=3
> #
> # ----------------------------------------------------------
> # The VPN server.
> #
> # Allow incoming connections on the external network interface.
> # If you want to use a different interface or if there is no
> # defaultroute, you can use: left=your.ip.addr.ess
> #
> left=public.ip.address.of.vpn.server
> #
> leftprotoport=17/1701
> # If you insist on supporting non-updated Windows clients,
> # you can use: leftprotoport=17/%any
> #
> # ----------------------------------------------------------
> # The remote user(s).
> #
> # Allow incoming connections only from this IP address.
> right=%any
> # If you want to allow multiple connections from any IP address,
> # you can use: right=%any
> #
> rightprotoport=17/1701
> #
> # ----------------------------------------------------------
> # Change 'ignore' to 'add' to enable this configuration.
> #
> auto=add
>
> include /etc/ipsec.d/no_oe.conf
>
> Do I have to put additional information in the ipsec.conf to include
> 172.16.0.0./255.255.255.240 ?
>
> --
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
"Dru"
To follow the path, look to the master, follow the master, walk with
the master, see through the master, become the master. (zen)
http://www.topdog.za.net/
More information about the Users
mailing list