[Openswan Users] Help configuring simple IPSec from Linux to Windows - "cannot respond to IPsec SA request because no connection is known"

Paddy Doyle paddy at tchpc.tcd.ie
Wed Apr 4 13:29:44 EDT 2012


Hi all,

I'm having a problem trying to get IPSec working.

Hopefully this is a simple problem to fix - I've probably done something silly
in my configs.

I've tried searching the archives, have checked the FAQs etc and still am
hitting a brick wall.


The scenario:

* local network traffic only - no tunnelling, no NAT, no L2TP
* linux file server (Scientific Linux 6, a RHEL6 clone like Centos6)
  - openswan 2.6.32 installed from rpm - config detailed below
  - ipsec configured to allow all traffic to the Windows IP
  - IP addr 10.1.112.202
* multiple Windows clients (currently testing with a Windows Server 2003, but
  afaik it has the same IPSec stack as XP, Win7 etc)
  - Windows IPSec "Client" policy configured, with custom Filter to only hit the
    Linux IP address, and the default "Require Security" Filter Action (negotiate
    ESP with 3DES+SHA1, or 3DES+MD5, or DES+SHA1, or DES+MD5)
  - Windows firewall disabled
  - IP addr 10.1.112.14
* just trying out a pre-shared key at first (will look to certs or Kerberos later)
* am just testing with ping for now, but would like to have all traffic encrypted
  once that works


The problem: 

* main mode seems to work - they agree the handshake
* quick mode fails with the "cannot respond to IPsec SA request because no
  connection is known" error in the logs


Thanks in advance,
Paddy



IPSec config:

/etc/ipsec.conf:
/------------------------------------------------------------------------------\
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug="none"
        plutodebug="none"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        #nat_traversal=yes
        #virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
\------------------------------------------------------------------------------/


/etc/ipsec.d/server.conf
/------------------------------------------------------------------------------\
conn windoze
        left=10.1.112.202
        leftsubnet=10.1.112.202/32
        right=10.1.112.14
        rightsubnet=10.1.112.14/32
        type=transport
        pfs=no
        auth=esp
        auto=start
        authby=secret
        leftprotoport=17/0
        rightprotoport=17/1701
        esp=3des-sha1
\------------------------------------------------------------------------------/


/etc/ipsec.d/server.secret
/------------------------------------------------------------------------------\
10.1.112.202 10.1.112.14: PSK "password"
\------------------------------------------------------------------------------/


Verify:

[root at linuxhost ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-220.4.1.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [FAILED]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Policy and state:

[root at linuxhost ~]# ip xfrm policy
src 10.1.112.202/32 dst 10.1.112.14/32 proto udp dport 1701 
        dir out priority 2080 ptype main 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16385 mode transport
src 10.1.112.14/32 dst 10.1.112.202/32 proto udp sport 1701 
        dir in priority 2080 ptype main 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 16385 mode transport
src ::/0 dst ::/0 
        dir 4 priority 0 ptype main 
src ::/0 dst ::/0 
        dir 3 priority 0 ptype main 
src ::/0 dst ::/0 
        dir 4 priority 0 ptype main 
src ::/0 dst ::/0 
        dir 3 priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 ptype main 
[root at linuxhost ~]# ip xfrm state
src 10.1.112.14 dst 10.1.112.202
        proto esp spi 0x308cef66 reqid 16385 mode transport
        replay-window 32 
        auth hmac(sha1) 0x10ac435c4fcb30c45535e1dd001def0fc51449ec
        enc cbc(des3_ede) 0xeda7e5bd1c258c868fbaef51edf4a74edf76ae7e482dac13
        sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 10.1.112.202 dst 10.1.112.14
        proto esp spi 0x3c35fb99 reqid 16385 mode transport
        replay-window 32 
        auth hmac(sha1) 0x8af7bde78b13d9316d79f1160b2a3c38432f5139
        enc cbc(des3_ede) 0x8cd5292d976df06446a727f1bd4a7073b505246692a4f6fe
        sel src 0.0.0.0/0 dst 0.0.0.0/0 



Logs (/var/log/secure):

Apr  4 18:13:07 linuxhost pluto[28341]: packet from 10.1.112.14:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr  4 18:13:07 linuxhost pluto[28341]: packet from 10.1.112.14:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr  4 18:13:07 linuxhost pluto[28341]: packet from 10.1.112.14:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Apr  4 18:13:07 linuxhost pluto[28341]: packet from 10.1.112.14:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: responding to Main Mode
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: STATE_MAIN_R2: sent MR2, expecting MI3
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: Main mode peer ID is ID_IPV4_ADDR: '10.1.112.14'
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: the peer proposed: 10.1.112.202/32:17/0 -> 10.1.112.14/32:17/1701
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: cannot respond to IPsec SA request because no connection is known for 10.1.112.202<10.1.112.202>[+S=C]:1/0...10.1.112.14<10.1.112.14>[+S=C]:1/0
Apr  4 18:13:07 linuxhost pluto[28341]: "windoze" #4: sending encrypted notification INVALID_ID_INFORMATION to 10.1.112.14:500
Apr  4 18:13:09 linuxhost pluto[28341]: "windoze" #4: the peer proposed: 10.1.112.202/32:17/0 -> 10.1.112.14/32:17/1701
Apr  4 18:13:09 linuxhost pluto[28341]: "windoze" #4: cannot respond to IPsec SA request because no connection is known for 10.1.112.202<10.1.112.202>[+S=C]:1/0...10.1.112.14<10.1.112.14>[+S=C]:1/0
Apr  4 18:13:09 linuxhost pluto[28341]: "windoze" #4: sending encrypted notification INVALID_ID_INFORMATION to 10.1.112.14:500
Apr  4 18:13:11 linuxhost pluto[28341]: "windoze" #4: the peer proposed: 10.1.112.202/32:17/0 -> 10.1.112.14/32:17/1701
Apr  4 18:13:11 linuxhost pluto[28341]: "windoze" #4: cannot respond to IPsec SA request because no connection is known for 10.1.112.202<10.1.112.202>[+S=C]:1/0...10.1.112.14<10.1.112.14>[+S=C]:1/0
Apr  4 18:13:11 linuxhost pluto[28341]: "windoze" #4: sending encrypted notification INVALID_ID_INFORMATION to 10.1.112.14:500


Status:

[root at linuxhost ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface eth1/eth1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 10.1.112.202
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:   
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000 
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,2304} attrs={0,2,1536}
000
000 "windoze": 10.1.112.202/32===10.1.112.202<10.1.112.202>[+S=C]:17/0...10.1.112.14<10.1.112.14>[+S=C]:17/1701===10.1.112.14/32; erouted; eroute owner: #2
000 "windoze":     myip=unset; hisip=unset;
000 "windoze":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "windoze":   policy: PSK+ENCRYPT+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth1;
000 "windoze":   newest ISAKMP SA: #4; newest IPsec SA: #2;
000 "windoze":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "windoze":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict
000 "windoze":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "windoze":   ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<N/A>
000
000 #2: "windoze":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27854s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "windoze" esp.3c35fb99 at 10.1.112.14 esp.308cef66 at 10.1.112.202 ref=0 refhim=4294901761
000 #4: "windoze":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3249s; newest ISAKMP; nodpd; idle; import:not set
000


-- 
Paddy Doyle
Trinity Centre for High Performance Computing,
Lloyd Building, Trinity College Dublin, Dublin 2, Ireland.
Phone: +353-1-896-3725
http://www.tchpc.tcd.ie/


More information about the Users mailing list