[Openswan Users] Interpreting "no connection is known" (FreeSwan 1.97)

Fri Jun 7 17:02:26 UTC 2013

> 
> I have someone who was using a cellular network adapter  in modem
> mode, and is now switching to one that runs in either wifi or ethernet
> over USB.  Unfortunately, the laptop can no longer connect to the
> FreeSwan based L2TP server.

So maybe they switched from a non-NAT'd connection to a NAT'd one?  If
so you will need the virtualprivate config.  There are lots and lots of
examples of how to implement that on the net, so I won't cover it here.

> cannot respond to IPsec SA request because no connection is known for
> 111.111.111.111:4500:17/1701...
> 222.222.222.222:55936[@laptop.our.windows.domain]:17/1701===0

Okay, so "no connection is known" means that between the
right/left/rightsubnet/leftsubnet settings and related settings, the
description of the network provided in the config does not match
reality.  If you switched to the need for NAT without allowing for it in
your config, then your config is not describing a NAT situation and
therefor openswan can't figure out what you want him to do.  Make your
config describe the actual network and this problem will go away.

> I've spent hours in years past trying to debug the same message trying
> to connect with my own computer (OS X), going through my local router,
> and I gave up.  I never got completely clear on how the ascii art
> corresponds to the config files or how to change things to make it
> match.

IPSec/L2TP vpns are hard to wrap a mind around, one of the more
challenging things I have ever taught myself.  I can say now that it was
totally worth every single keyboard that hit the wall...
> 
> 

Is this config from a current version of openswan?  And why the 0.0.0.0
for right, you are encrypting to the gateway but not across the
internet?  I would suggest making sure you have a current version of
openswan and start with a minimal config, you can always add stuff after
it is working...

> config setup
> interfaces = %defaultroute
> X-enabled = yes
> klipsdebug = none
> plutodebug = none
> plutoload = %search
> plutostart = %search
> manualstart = 
> uniqueids = yes
> 
> 
> conn BobsConnection
> type = tunnel
> left = %defaultroute
> x-interface = %defaultroute
> right = 0.0.0.0
> auto = add
> keyexchange = ike
> authby = secret
> auth = esp
> pfs = no
> pfsgroup = MODP1024
> ike = "3DES-SHA-MODP1024"
> esp = "3DES-SHA1"
> keyingtries = 0
> ikelifetime = 3600
> keylife = 3600
> rekeymargin = 600
> rekeyfuzz = 100%
> x-l2tpd = yes
> 
> 
> -- 
> Justin Love -- http://JustinLove.name/
> 
> 
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155