[Openswan Users] cannot respond to IPsec SA request because no connection is known for

Janantha Marasinghe janantha at techcert.lk
Fri Mar 20 03:27:55 EDT 2009 

Thank Saso..

Works perfectly now.!!

Saso Tavcar wrote:
> Hi!
>
> I had the same problem also with latest development packages for 
> xl2tpd and openswan.
> PPP session does not start with L2TP+IPsec+PSK client configuration!?
>
> Try with disabled IPsec on Windows XP client.
>
> Run this registry settings and reboot your Windows XP client:
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
> "prohibitipsec"=dword:00000001
>
>
> Regards,
> saso
>
>
> On Mar 20, 2009, at 3:50 AM, Janantha Marasinghe wrote:
>
>> Hello,
>>
>> Yes all my clients are Windows XP (Sp3) . I do use xl2tpd for the 
>> tunnel. The configuration of xl2tpd is
>>
>> [global]
>> [lns default]
>> ip range = 10.8.109.100-10.8.109.110
>> local ip = 10.8.109.65
>> require chap = yes
>> refuse pap = yes
>> require authentication = yes
>> name = LinuxVPNServer
>> ppp debug = yes
>> pppoptfile = /etc/ppp/options.xl2tpd
>> length bit = yes
>>
>> If this doesn't work I'll upgrade the current openswan as well( I see 
>> an update for it for my FC9). Other
>>
>> Catalin Sanda wrote:
>>>
>>> Hello,
>>>
>>> >From what I can gather, you are trying to use a windows 2000+ 
>>> client to
>>> connect to your Linux box. Ipsec seems to work, so now you have to 
>>> setup the
>>> l2tp tunel (i personaly use xl2tp).
>>>
>>> Unfortunately the setup you are trying to achieve didn't work for me 
>>> because
>>> of a bug in openswan (see the response to one of my earlier posts), 
>>> so i had
>>> to switch to strongswan which worked.
>>>
>>> Hope this helps,
>>> Catalin
>>>
>>>
>>> On Thu, Mar 19, 2009 at 12:52 PM, Janantha Marasinghe
>>> <janantha at techcert.lk>wrote:
>>>
>>>
>>>>  Hi Catalin,
>>>>
>>>> Thanks your suggestions. I amended as you stated and now it does go to
>>>> state 2. . But after it gets stuck on the following line written at
>>>> /var/log/secure
>>>>
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x38511bd7
>>>> <0xd834470c xfrm=3DES_0-HMAC_MD5 NATOA=172.16.0.9
>>>> NATD=roadwarrior-routerip:4500 DPD=none}
>>>>
>>>> My windows clients give the 678 error message. Do I have to change 
>>>> my ADSL
>>>> router firewall configuration? Rest of the transitions are below
>>>>
>>>> Mar 19 16:16:00 mooshika pluto[32010]: packet from
>>>> roadwarrior-routerip:500: ignoring Vendor ID payload [MS NT5 
>>>> ISAKMPOAKLEY
>>>> 00000004]
>>>> Mar 19 16:16:00 mooshika pluto[32010]: packet from
>>>> roadwarrior-routerip:500: ignoring Vendor ID payload [FRAGMENTATION]
>>>> Mar 19 16:16:00 mooshika pluto[32010]: packet from
>>>> roadwarrior-routerip:500: received Vendor ID payload
>>>> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>>>> Mar 19 16:16:00 mooshika pluto[32010]: packet from
>>>> roadwarrior-routerip:500: ignoring Vendor ID payload 
>>>> [Vid-Initial-Contact]
>>>> Mar 19 16:16:00 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: responding to Main Mode from unknown peer roadwarrior-routerip
>
>>>> Mar 19 16:16:00 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>>>> Mar 19 16:16:00 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: STATE_MAIN_R1: sent MR1, expecting MI2
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: 
>>>> peer is
>>>> NATed
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: STATE_MAIN_R2: sent MR2, expecting MI3
>>>> Mar 19 16:16:01 mooshika pluto[32013]: WARNING: calc_dh_shared(): for
>>>> OAKLEY_GROUP_MODP2048 took 228522 usec
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: Main mode peer ID is ID_FQDN: '@techcert-37a9ea'
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: new NAT mapping for #5, was roadwarrior-routerip:500, now
>>>> roadwarrior-routerip:4500
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>>>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>>>> group=modp2048}
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: peer client type is FQDN
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: Applying workaround for MS-818043 NAT-T bug
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: IDci was FQDN: \300\370\010k, using NAT_OA=172.16.0.9/32 as IDci
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: the peer proposed: vpn.server.ip/32:17/1701 -> 
>>>> 172.16.0.9/32:17/1701
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for 
>>>> st_skey_ar in
>>>> duplicate_state, please report to dev at openswan.org
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for 
>>>> st_skey_er in
>>>> duplicate_state, please report to dev at openswan.org
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for 
>>>> st_skey_pi in
>>>> duplicate_state, please report to dev at openswan.org
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for 
>>>> st_skey_pr in
>>>> duplicate_state, please report to dev at openswan.org
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6: responding to Quick Mode proposal {msgid:c1ca4ad8}
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6:     us: vpn.server.ip<vpn.server.ip>[+S=C]:17/1701
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6:   them: roadwarrior-routerip[@techcert-37a9ea,+S=C]:17/1701===
>>>> 172.16.0.9/32
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting 
>>>> QI2
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>>> Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2] 
>>>> roadwarrior-routerip
>>>> #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x38511bd7
>>>> <0xd834470c xfrm=3DES_0-HMAC_MD5 NATOA=172.16.0.9
>>>> NATD=roadwarrior-routerip:4500 DPD=none}
>>>>
>>>>
>>>>
>>>> Catalin Sanda wrote:
>>>>
>>>> It might help if you have something like:
>>>>
>>>> config setup
>>>>         #......
>>>>         nat_traversal=yes
>>>>         
>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>>>
>>>> conn L2TP-PSK
>>>>        #.......
>>>>        rightsubnet=vhost:%no,%priv
>>>>
>>>>
>>>>
>>>> On Thu, Mar 19, 2009 at 10:09 AM, Janantha 
>>>> Marasinghe<janantha at techcert.lk> <janantha at techcert.lk>wrote:
>>>>
>>>>
>>>>
>>>>   Thanks Andrew,
>>>>
>>>> I have included nat_traversal=yes in the ipsec.conf and restarted the
>>>> services but still the same!
>>>>
>>>>
>>>>
>>>> andrew colin wrote:
>>>>
>>>> I think you do not have nat traversal enabled that is why.
>>>>
>>>> On Thu, Mar 19, 2009 at 5:54 AM, Janantha 
>>>> Marasinghe<janantha at techcert.lk> <janantha at techcert.lk> 
>>>> <janantha at techcert.lk> <janantha at techcert.lk> wrote:
>>>>
>>>>
>>>>  Dear All,
>>>>
>>>> Currently I'm trying to connect to my openswan server.  My network 
>>>> setup
>>>> is given below. When I try to connect using a fully up to date SP3
>>>> Windows XP system .. I see the following error in the vpn server's
>>>> secure log
>>>>
>>>> Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
>>>> roadwarrior-routerip #2: cannot respond to IPsec SA request because no
>>>> connection is known for
>>>> vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computername-37a9ea,+S=C]:17/1701===172.16.0.9/32 
>>>>
>>>>
>>>> Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
>>>> roadwarrior-routerip #2: sending encrypted notification
>>>> INVALID_ID_INFORMATION to roadwarrior-routerip:4500
>>>> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
>>>> roadwarrior-routerip #2: peer client type is FQDN
>>>> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
>>>> roadwarrior-routerip #2: Applying workaround for MS-818043 NAT-T bug
>>>> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
>>>> roadwarrior-routerip #2: IDci was FQDN: \300\370\010k, using
>>>> NAT_OA=172.16.0.9/32 as IDci
>>>> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
>>>> roadwarrior-routerip #2: the peer proposed: 
>>>> vpn.server.ip/32:17/1701 ->172.16.0.9/32:17/1701
>>>> Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
>>>> roadwarrior-routerip #2: cannot respond to IPsec SA request because no
>>>> connection is known for
>>>> vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computer-37a9ea,+S=C]:17/1701===172.16.0.9/32 
>>>>
>>>>
>>>>
>>>>
>>>>  private network172.16.0.0/255.255.255.240 --> ADSL Router(NAT 
>>>> enabled)
>>>> ---------Internet--------------OpenswanVPN(Public IP Address)
>>>>
>>>> My IPsec.conf is
>>>>
>>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>>> #
>>>> # Manual:     ipsec.conf.5
>>>> #
>>>> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>>>>
>>>> version 2.0     # conforms to second version of ipsec.conf 
>>>> specification
>>>>
>>>> # basic configuration
>>>> config setup
>>>>        # Debug-logging controls:  "none" for (almost) none, "all" 
>>>> for lots.
>>>>        # klipsdebug=none
>>>>        # plutodebug="control parsing"
>>>>        # For Red Hat Enterprise Linux and Fedora, leave 
>>>> protostack=netkey
>>>>        protostack=netkey
>>>>
>>>> conn L2TP-PSK
>>>>        #
>>>>        authby=secret
>>>>        pfs=no
>>>>        rekey=no
>>>>        keyingtries=3
>>>>        #
>>>>        # ----------------------------------------------------------
>>>>        # The VPN server.
>>>>        #
>>>>        # Allow incoming connections on the external network interface.
>>>>        # If you want to use a different interface or if there is no
>>>>        # defaultroute, you can use:   left=your.ip.addr.ess
>>>>        #
>>>>        left=public.ip.address.of.vpn.server
>>>>        #
>>>>        leftprotoport=17/1701
>>>>        # If you insist on supporting non-updated Windows clients,
>>>>        # you can use:    leftprotoport=17/%any
>>>>        #
>>>>        # ----------------------------------------------------------
>>>>        # The remote user(s).
>>>>        #
>>>>        # Allow incoming connections only from this IP address.
>>>>        right=%any
>>>>        # If you want to allow multiple connections from any IP 
>>>> address,
>>>>        # you can use:    right=%any
>>>>        #
>>>>        rightprotoport=17/1701
>>>>        #
>>>>        # ----------------------------------------------------------
>>>>        # Change 'ignore' to 'add' to enable this configuration.
>>>>        #
>>>>        auto=add
>>>>
>>>> include /etc/ipsec.d/no_oe.conf
>>>>
>>>> Do I have to put additional information in the ipsec.conf to include
>>>> 172.16.0.0./255.255.255.240 ?
>>>>
>>>> -- 
>>>>
>>>> _______________________________________________Users at openswan.orghttp://lists.openswan.org/mailman/listinfo/users 
>>>>
>>>> Building and Integrating Virtual Private Networks with 
>>>> Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 
>>>>
>>>>
>>>>
>>>> -- 
>>>>
>>>>
>>>> _______________________________________________Users at openswan.orghttp://lists.openswan.org/mailman/listinfo/users 
>>>>
>>>> Building and Integrating Virtual Private Networks with 
>>>> Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>>
>>>>
>>>
>>>
>>
>> -- 
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>

-- 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090320/efd92106/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.gif
Type: image/gif
Size: 7402 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090320/efd92106/attachment-0001.gif

More information about the Users mailing list