[Openswan Users] cannot respond to IPsec SA request because no connection is known

Mon Apr 12 19:07:34 EDT 2010

Hi Brian,

> 
> # basic configuration
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:!REM.OTE.NET.0/24

Not sure about this, I think you still have to have the remote subnets
that are allowed, as well as the ones that are disallowed, but I don't
know for sure.  All of my virtual_private configs are like so:

virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:!192.168.123.0/24

>         oe=off
>         nhelpers=1

I don't believe this is necessary, I do not have it in any of my
configs.  However, it *probably* isn't doing any harm either...

>         interfaces=%defaultroute
> 
> conn roadwarrior-l2tp
>         type=transport
>         authby=secret
>         left=REM.OTE.NET.178
>         leftsubnet=REM.OTE.NET.0/24

I could be wrong, but I do not believe leftsubnet is necessary for road
warriors so much as for net-to-net configs.  My l2tp configs do not use
this entry.  
I would however add a leftnexthop entry, I believe that would be
mandatory for a working config.

>         leftprotoport=17/1701
>         rightsubnet=vhost:%no,%priv
>         rightsubnetwithin=192.168.1.0/24

I believe rightsubnetwithin is deprecated, and I do not have it in any
of my working configs.

>         right=%any
>         rightprotoport=17/0
>         pfs=no
>         auto=add
> 

I recently just had an argument with one firewall using a windows l2tp
client, the change that made it work was to use leftprotoport 17/0 and
rightprotoport 17/%any.  I think Mac is different though, I seem to
recall Paul saying that you could use 17/%any on both right and left to
accommodate Macs and windows simultaneously, but that definitely broke
the windows config when I tried it last week...

Good luck...

Bob Miller
334-7117/633-3760
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions