[Openswan Users] Help configuring simple IPSec from Linux to Windows - "cannot respond to IPsec SA request because no connection is known"

Paddy Doyle paddy at tchpc.tcd.ie
Tue Apr 10 12:40:07 EDT 2012


Got it working, so thought I'd post the solution in case anyone has a similar
issue..

It was the IP Filter on the Windows side that was causing the mis-match. I had
configured it just to match ICMP traffic only (not all traffic) for testing.

On the Linux side, the connection was set to encrypt all traffic, not just ICMP.
Hence the mis-match.

For the record, this was the ipsec conf that I used in the end:

conn windoze
        left=10.1.112.202
        right=10.1.112.14
        type=transport
        pfs=no
        auto=start
        authby=secret


The FAQ does mention "The match must be exact".. but I was concentrating on this
meaning that the IP addresses and/or subnets must match, not thinking about the
protocols matching as well.

I guess that's where the leftprotoport setting comes into it. After another trip
to the man page I now understand the "0/0" means any protocol/port, whereas my
Windows side was trying to negotiate on "1/0" meaning ICMP.


Apr 10 16:51:49 linuxhost pluto[22187]: "windoze" #2: the peer proposed: 10.1.112.202/32:0/0 -> 10.1.112.14/32:0/0
Apr 10 16:51:49 linuxhost pluto[22187]: "windoze" #2: cannot respond to IPsec SA request because no connection is known for 10.1.112.202<10.1.112.202>[+S=C]:1/0...10.1.112.14<10.1.112.14>[+S=C]:1/0
Apr 10 16:51:49 linuxhost pluto[22187]: "windoze" #2: sending encrypted notification INVALID_ID_INFORMATION to 10.1.112.14:500


Paddy

-- 
Paddy Doyle
Trinity Centre for High Performance Computing,
Lloyd Building, Trinity College Dublin, Dublin 2, Ireland.
Phone: +353-1-896-3725
http://www.tchpc.tcd.ie/


More information about the Users mailing list