[Openswan Users] cannot respond to IPsec SA request because no connection is known

Brian Drake briandrake83 at gmail.com
Tue Apr 13 10:06:37 EDT 2010 

Hi, thanks for the answers so far, I didn't manage to solve my problem, but
things are getting a little more clear.

I changed my config, as a matter of fact leftsubnet seems not to be
necessary for a roadwarrior.
here's my new /etc/ipsec.conf file :

version 2.0
config setup
        nat_traversal=yes
        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!REM.OTE.NET.0/24
        oe=off
        protostack=netkey

conn roadwarrior-l2tp
#       type=transport
        authby=secret
        right=REM.OTE.NET.178
        rightsubnet=REM.OTE.NET.0/24
        rightnexthop=%defaultroute
        left=%any
        leftprotoport=17/1701
        rightprotoport=17/0
        pfs=no
        auto=add

Here's part of "ipsec auto --status" output after the connexion fails :

000 "roadwarrior-l2tp":
REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...%any[+S=C]:17/1701;
unrouted; eroute owner: #0
000 "roadwarrior-l2tp":     myip=unset; hisip=unset;
000 "roadwarrior-l2tp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-l2tp":   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0;
000 "roadwarrior-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-l2tp"[2]:
REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...LO.CAL.NET.254[192.168.1.63,+S=C]:17/1701;
unrouted; eroute owner: #0
000 "roadwarrior-l2tp"[2]:     myip=unset; hisip=unset;
000 "roadwarrior-l2tp"[2]:   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-l2tp"[2]:   policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,32; interface: eth0;
000 "roadwarrior-l2tp"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "roadwarrior-l2tp"[2]:   IKE algorithm newest:
3DES_CBC_192-SHA1-MODP1024

000 #1: "roadwarrior-l2tp"[2] LO.CAL.NET.254:4500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 2192s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0); idle; import:not set


I don't understand what's wrong there, if I compare

000 "roadwarrior-l2tp":
REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...%any[+S=C]:17/1701;
unrouted; eroute owner: #0

and

000 "roadwarrior-l2tp"[2]:
REM.OTE.NET.0/24===REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/0---REM.OTE.NET.1...LO.CAL.NET.254[192.168.1.63,+S=C]:17/1701;
unrouted; eroute owner: #0

I would say that these two lines seem to match, but I'm still getting those
messages :

Apr 13 15:33:11 vpn pluto[23822]: "roadwarrior-l2tp"[2] LO.CAL.NET.254 #3:
cannot respond to IPsec SA request because no connection is known for
REM.OTE.NET.178<REM.OTE.NET.178>[+S=C]:17/1701...LO.CAL.NET.254[192.168.1.63,+S=C]:17/49383===
192.168.1.63/32

I tried to upgrade to Openswan Version 2.6.25, tried to install the vpn
server on another host (my last attempt was on a Xen DomU, to avoid any
possible issue with xen, this time I installed my vpn server directly on a
PC without virtualization). Tried to connect from an iPhone, also from an XP
client, but the problem remains, I'm always getting the same error messages
on the server.

>From "ipsec auto --status" I see that we have reached STATE_MAIN_R3, what's
the next step ? is it a problem with user authentication ? the step
involving the PSK seems to be ok as when I set a wrong shared secret on the
client side I'm getting a completely different error message.

regards,

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100413/971d08c3/attachment.html

More information about the Users mailing list