[Openswan Users] cannot respond to IPsec SA request because no connection is known
Brian Drake
briandrake83 at gmail.com
Sat Apr 10 14:32:15 EDT 2010
Hi, I'm trying to setup a L2TP/IPsec server using openswan/xl2tpd. Here is
my network topology :
REM.OTE.NET.0/24===vpn server (REM.OTE.NET.178)=== internet ===
(HO.ME.NET.254) NAT DEVICE (192.168.1.0/24)
=== client (192.168.1.63)
When I'm trying to connect from my client (MacOS10.5) the connection fails
and I get "cannot respond to IPsec SA request because no connection is known
for..." messages on the server side. I've tried several setups on the
server, based on several howtos and other messages found on the web, but the
result is always the same.
If someone could help, I'm surely missing somethine but I can't figure out
what...
thx
Brian
/etc/ipsec.conf is as follows :
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:!REM.OTE.NET.0/24
oe=off
nhelpers=1
interfaces=%defaultroute
conn roadwarrior-l2tp
type=transport
authby=secret
left=REM.OTE.NET.178
leftsubnet=REM.OTE.NET.0/24
leftprotoport=17/1701
rightsubnet=vhost:%no,%priv
rightsubnetwithin=192.168.1.0/24
right=%any
rightprotoport=17/0
pfs=no
auto=add
[root at vpn ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 REM.OTE.NET.178
000 interface eth0/eth0 REM.OTE.NET.178
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 1 subnet: REM.OTE.NET.0/24
000 WARNING: Either virtual_private= was not specified, or there was a
syntax
000 error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "roadwarrior-l2tp":
REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...%virtual[+S=C]:17/0===?;
unrouted; eroute owner: #0
000 "roadwarrior-l2tp": myip=unset; hisip=unset;
000 "roadwarrior-l2tp": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-l2tp": policy: PSK+ENCRYPT+IKEv2ALLOW+lKOD+rKOD; prio:
24,32; interface: eth0;
000 "roadwarrior-l2tp": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
/var/log/secure :
Apr 10 19:55:17 vpn ipsec__plutorun: Starting Pluto subsystem...
Apr 10 19:55:17 vpn pluto[30646]: nss directory plutomain: /etc/ipsec.d
Apr 10 19:55:17 vpn pluto[30646]: NSS Initialized
Apr 10 19:55:17 vpn pluto[30646]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Apr 10 19:55:17 vpn pluto[30646]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Apr 10 19:55:17 vpn pluto[30646]: Starting Pluto (Openswan Version 2.6.21;
Vendor ID OE~q\177kZNr}Wk) pid:30646
Apr 10 19:55:17 vpn pluto[30646]: Setting NAT-Traversal port-4500 floating
to on
Apr 10 19:55:17 vpn pluto[30646]: port floating activation criteria
nat_t=1/port_float=1
Apr 10 19:55:17 vpn pluto[30646]: including NAT-Traversal patch (Version
0.6c)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: starting up 1 cryptographic helpers
Apr 10 19:55:17 vpn pluto[30646]: main fd(10) helper fd(11)
Apr 10 19:55:17 vpn pluto[30646]: started helper (thread) pid=1102211392
(fd:10)
Apr 10 19:55:17 vpn pluto[30646]: Using Linux 2.6 IPsec interface code on
2.6.18-164.15.1.el5xen (experimental code)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>:
Ok (ret=0)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already
exists
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already
exists
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already
exists
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already
exists
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): WARNING: enc alg=0
not found in constants.c:oakley_enc_names
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_add(): ERROR: Algorithm already
exists
Apr 10 19:55:17 vpn pluto[30646]: ike_alg_register_enc(): Activating <NULL>:
FAILED (ret=-17)
Apr 10 19:55:17 vpn pluto[30646]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr 10 19:55:17 vpn pluto[30646]: loaded CA cert file 'cakey.pem' (963
bytes)
Apr 10 19:55:17 vpn pluto[30646]: no passphrase available
Apr 10 19:55:17 vpn pluto[30646]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Apr 10 19:55:17 vpn pluto[30646]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Apr 10 19:55:17 vpn pluto[30646]: Changing to directory '/etc/ipsec.d/crls'
Apr 10 19:55:17 vpn pluto[30646]: loaded crl file 'crl.pem' (499 bytes)
Apr 10 19:55:17 vpn pluto[30646]: crl issuer cacert not found for
(file:///etc/ipsec.d/crls/crl.pem)
Apr 10 19:55:17 vpn pluto[30646]: added connection description
"roadwarrior-l2tp"
Apr 10 19:55:17 vpn pluto[30646]: listening for IKE messages
Apr 10 19:55:17 vpn pluto[30646]: adding interface eth0/eth0
REM.OTE.NET.178:500
Apr 10 19:55:17 vpn pluto[30646]: adding interface eth0/eth0
REM.OTE.NET.178:4500
Apr 10 19:55:17 vpn pluto[30646]: adding interface lo/lo 127.0.0.1:500
Apr 10 19:55:17 vpn pluto[30646]: adding interface lo/lo 127.0.0.1:4500
Apr 10 19:55:17 vpn pluto[30646]: adding interface lo/lo ::1:500
Apr 10 19:55:17 vpn pluto[30646]: loading secrets from "/etc/ipsec.secrets"
Apr 10 19:55:17 vpn pluto[30646]: loading secrets from
"/etc/ipsec.d/hostname.secrets"
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received
Vendor ID payload [RFC 3947] method set to=109
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring
unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring
unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring
unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring
unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: ignoring
unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 110
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 110
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
using method 110
Apr 10 19:56:18 vpn pluto[30646]: packet from HO.ME.NET.254:500: received
Vendor ID payload [Dead Peer Detection]
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
responding to Main Mode from unknown peer HO.ME.NET.254
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is
NATed
Apr 10 19:56:18 vpn pluto[30646]: pluto_do_crypto: helper (0) is exiting
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 10 19:56:18 vpn pluto[30646]: pluto_do_crypto: helper (0) is exiting
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
Main mode peer ID is ID_IPV4_ADDR: '192.168.1.63'
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[1] HO.ME.NET.254 #1:
switched from "roadwarrior-l2tp" to "roadwarrior-l2tp"
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
deleting connection "roadwarrior-l2tp" instance with peer HO.ME.NET.254
{isakmp=#0/ipsec=#0}
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
new NAT mapping for #1, was HO.ME.NET.254:500, now HO.ME.NET.254:4500
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Apr 10 19:56:18 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
received and ignored informational message
Apr 10 19:56:19 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
the peer proposed: REM.OTE.NET.178/32:17/1701 -> 192.168.1.63/32:17/0
Apr 10 19:56:19 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
cannot respond to IPsec SA request because no connection is known for
REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...HO.ME.NET.254[192.168.1.63,+S=C]:17/49470===
192.168.1.63/32
Apr 10 19:56:19 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
sending encrypted notification INVALID_ID_INFORMATION to HO.ME.NET.254:4500
Apr 10 19:56:29 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
the peer proposed: REM.OTE.NET.178/32:17/1701 -> 192.168.1.63/32:17/0
Apr 10 19:56:29 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
cannot respond to IPsec SA request because no connection is known for
REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...HO.ME.NET.254[192.168.1.63,+S=C]:17/49470===
192.168.1.63/32
Apr 10 19:56:29 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
sending encrypted notification INVALID_ID_INFORMATION to HO.ME.NET.254:4500
Apr 10 19:56:39 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
the peer proposed: REM.OTE.NET.178/32:17/1701 -> 192.168.1.63/32:17/0
Apr 10 19:56:39 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
cannot respond to IPsec SA request because no connection is known for
REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...HO.ME.NET.254[192.168.1.63,+S=C]:17/49470===
192.168.1.63/32
Apr 10 19:56:39 vpn pluto[30646]: "roadwarrior-l2tp"[2] HO.ME.NET.254 #1:
sending encrypted notification INVALID_ID_INFORMATION to HO.ME.NET.254:4500
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100410/724e260c/attachment-0001.html
More information about the Users
mailing list