[Openswan Users] cannot respond to IPsec SA request because no connection is known for

Catalin Sanda catalin.sanda at gmail.com
Thu Mar 19 06:36:51 EDT 2009 

It might help if you have something like:

config setup
        #......
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn L2TP-PSK
       #.......
       rightsubnet=vhost:%no,%priv



On Thu, Mar 19, 2009 at 10:09 AM, Janantha Marasinghe
<janantha at techcert.lk>wrote:

>  Thanks Andrew,
>
> I have included nat_traversal=yes in the ipsec.conf and restarted the
> services but still the same!
>
>
>
> andrew colin wrote:
>
> I think you do not have nat traversal enabled that is why.
>
> On Thu, Mar 19, 2009 at 5:54 AM, Janantha Marasinghe<janantha at techcert.lk> <janantha at techcert.lk> wrote:
>
>
>  Dear All,
>
> Currently I'm trying to connect to my openswan server.  My network setup
> is given below. When I try to connect using a fully up to date SP3
> Windows XP system .. I see the following error in the vpn server's
> secure log
>
> Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: cannot respond to IPsec SA request because no
> connection is known for
> vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computername-37a9ea,+S=C]:17/1701===172.16.0.9/32
> Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: sending encrypted notification
> INVALID_ID_INFORMATION to roadwarrior-routerip:4500
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: peer client type is FQDN
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: Applying workaround for MS-818043 NAT-T bug
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: IDci was FQDN: \300\370\010k, using
> NAT_OA=172.16.0.9/32 as IDci
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: the peer proposed: vpn.server.ip/32:17/1701 ->172.16.0.9/32:17/1701
> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
> roadwarrior-routerip #2: cannot respond to IPsec SA request because no
> connection is known for
> vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computer-37a9ea,+S=C]:17/1701===172.16.0.9/32
>
>
>  private network172.16.0.0/255.255.255.240 --> ADSL Router(NAT enabled)
> ---------Internet--------------OpenswanVPN(Public IP Address)
>
> My IPsec.conf is
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual:     ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>        # klipsdebug=none
>        # plutodebug="control parsing"
>        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>        protostack=netkey
>
> conn L2TP-PSK
>        #
>        authby=secret
>        pfs=no
>        rekey=no
>        keyingtries=3
>        #
>        # ----------------------------------------------------------
>        # The VPN server.
>        #
>        # Allow incoming connections on the external network interface.
>        # If you want to use a different interface or if there is no
>        # defaultroute, you can use:   left=your.ip.addr.ess
>        #
>        left=public.ip.address.of.vpn.server
>        #
>        leftprotoport=17/1701
>        # If you insist on supporting non-updated Windows clients,
>        # you can use:    leftprotoport=17/%any
>        #
>        # ----------------------------------------------------------
>        # The remote user(s).
>        #
>        # Allow incoming connections only from this IP address.
>        right=%any
>        # If you want to allow multiple connections from any IP address,
>        # you can use:    right=%any
>        #
>        rightprotoport=17/1701
>        #
>        # ----------------------------------------------------------
>        # Change 'ignore' to 'add' to enable this configuration.
>        #
>        auto=add
>
> include /etc/ipsec.d/no_oe.conf
>
> Do I have to put additional information in the ipsec.conf to include
> 172.16.0.0./255.255.255.240 ?
>
> --
>
> _______________________________________________Users at openswan.orghttp://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> --
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090319/d330b3b0/attachment-0001.html

More information about the Users mailing list