[Openswan Users] Roadwarrior laptop fails connecting with "cannot respond to IPsec SA request because no connection is known"
Mike A. Leonetti
mleonetti at evolutionce.com
Wed May 5 22:18:20 EDT 2010
When trying to connect my laptop (Linux/OpenSWAN) to another
Linux/OpenSWAN machine it never initiates the connexion.
Roadwarrior laptop config:
conn road
left=%defaultroute
leftid=@afterthought
right=y.y.y.y
rightsubnet=10.0.0.0/24
rightid=@youjinbou
auto=add
leftrsasigkey=0sAQNo4...
rightrsasigkey=0sAQPDoax...
Gateway config:
conn road
right=%any
rightid=@afterthought
rightnexthop=%defaultroute
left=y.y.y.y
leftsubnet=10.0.0.0/24
leftid=@youjinbou
auto=add
rightrsasigkey=0sAQNo4UPr...
leftrsasigkey=0sAQPDoaxs...
Roadwarrior laptop log:
104 "road" #1: STATE_MAIN_I1: initiate
003 "road" #1: received Vendor ID payload [Openswan (this version) 2.6.23 ]
003 "road" #1: received Vendor ID payload [Dead Peer Detection]
003 "road" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i
am NATed
108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "road" #1: received Vendor ID payload [CAN-IKEv2]
004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128 prf=oakley_sha group=modp2048}
117 "road" #2: STATE_QUICK_I1: initiate
Gateway log:
May 5 22:12:17 youjinbou pluto[14593]: packet from x.x.x.x:500: received
and ignored informational message
May 5 22:12:32 youjinbou pluto[14593]: packet from x.x.x.x:500: received
Vendor ID payload [Openswan (this version) 2.6.23 ]
May 5 22:12:32 youjinbou pluto[14593]: packet from x.x.x.x:500: received
Vendor ID payload [Dead Peer Detection]
May 5 22:12:32 youjinbou pluto[14593]: packet from x.x.x.x:500: received
Vendor ID payload [RFC 3947] method set to=109
May 5 22:12:32 youjinbou pluto[14593]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 109
May 5 22:12:32 youjinbou pluto[14593]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
May 5 22:12:32 youjinbou pluto[14593]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 109
May 5 22:12:32 youjinbou pluto[14593]: packet from x.x.x.x:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: responding
to Main Mode from unknown peer x.x.x.x
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7:
STATE_MAIN_R1: sent MR1, expecting MI2
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7:
STATE_MAIN_R2: sent MR2, expecting MI3
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: Main mode
peer ID is ID_FQDN: '@afterthought'
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: new NAT
mapping for #7, was x.x.x.x:500, now x.x.x.x:4500
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128 prf=oakley_sha group=modp2048}
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: the peer
proposed: 10.0.0.0/24:0/0 -> 192.168.1.101/32:0/0
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: cannot
respond to IPsec SA request because no connection is known for
10.0.0.0/24===y.y.y.y<y.y.y.y>[@youjinbou,+S=C]...x.x.x.x[@afterthought,+S=C]===192.168.1.101/32
May 5 22:12:32 youjinbou pluto[14593]: "road"[4] x.x.x.x #7: sending
encrypted notification INVALID_ID_INFORMATION to x.x.x.x:4500
Thanks.
--
Mike A. Leonetti
As warm as green tea
More information about the Users
mailing list