[Openswan Users] L2TP/IPSec can not work.
Ozai
ozai.tien at gmail.com
Thu Mar 14 05:11:36 EDT 2013
Hi Bob,
I added left/rightsubnet into ipsec.conf.But I got the same result.
Do you have idea on "cannot respond to IPsec SA request because no
connection is known for
172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>"?
Thank's a lot.
Jan 1 02:02:52 authpriv warn pluto[10367]: packet from 172.17.21.80:500:
received Vendor ID payload [RFC 3947] meth=115, but port floating is off
Jan 1 02:02:52 authpriv warn pluto[10367]: packet from 172.17.21.80:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
port floating is off
Jan 1 02:02:52 authpriv warn pluto[10367]: packet from 172.17.21.80:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
port floating is off
Jan 1 02:02:52 authpriv warn pluto[10367]: packet from 172.17.21.80:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: responding to Main
Mode
Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: Oakley Transform
[OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to
strict flag
Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R1: sent
MR1, expecting MI2
Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R2: sent
MR2, expecting MI3
Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: Main mode peer ID is
ID_IPV4_ADDR: '172.17.21.80'
Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: the peer proposed:
172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: cannot respond to
IPsec SA request because no connection is known for
172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: sending encrypted
notification INVALID_ID_INFORMATION to 172.17.21.80:500
Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: the peer proposed:
172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: cannot respond to
IPsec SA request because no connection is known for
172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: sending encrypted
notification INVALID_ID_INFORMATION to 172.17.21.80:500
Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: the peer proposed:
172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: cannot respond to
IPsec SA request because no connection is known for
172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: sending encrypted
notification INVALID_ID_INFORMATION to 172.17.21.80:500
Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: the peer proposed:
172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: cannot respond to
IPsec SA request because no connection is known for
172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: sending encrypted
notification INVALID_ID_INFORMATION to 172.17.21.80:500
Best Regards,
Ozai
----- Original Message -----
From: "Bob Miller" <bob at computerisms.ca>
To: <users at lists.openswan.org>
Sent: Friday, March 08, 2013 2:10 AM
Subject: Re: [Openswan Users] L2TP/IPSec can not work.
> Hello,
>
>>
>> # cat ipsec.conf
>> config setup
>> nat_traversal=no
>> oe=off
>> protostack=netkey
>> interfaces=%defaultroute
>>
>> conn L2TP-PSK-NAT
>> rightsubnet=vhost:%no,%priv
>
> In order to use this you need to have virtual_private configured above,
> but given your topology you won't be needing NAT, so this stanza seems
> pointless.
>
>> also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>> left=172.17.21.81
>> leftprotoport=17/1701
>> rightprotoport=17/1701
>> right=172.17.21.80
>
> try adding left/rightsubnet to this stanza, these settings are not
> describing enough of the network for openswan to figure out which
> traffic needs to go through the tunnel.
>
>
>
>
>
>> pfs=no
>> keylife=1h
>> keyingtries=3
>> rekey=no
>> ikelifetime=60m
>> type=transport
>> authby=secret
>> auto=add
>> #
>> Jan 1 04:12:15 daemon err ipsec_setup: Starting Openswan IPsec
>> U2.6.38/K2.6.30...
>> Jan 1 04:12:15 daemon err ipsec_setup: Using NETKEY(XFRM) stack
>> Jan 1 04:12:17 authpriv err ipsec__plutorun: Starting Pluto
>> subsystem...
>> Jan 1 04:12:17 user warn syslog: adjusting ipsec.d to /var/ipsec.d
>> Jan 1 04:12:17 authpriv warn pluto[8314]: LEAK_DETECTIVE support
>> [disabled]
>> Jan 1 04:12:17 authpriv warn pluto[8314]: OCF support for IKE
>> [disabled]
>> Jan 1 04:12:17 authpriv warn pluto[8314]: NSS support [disabled]
>> Jan 1 04:12:17 authpriv warn pluto[8314]: HAVE_STATSD notification
>> support not compiled in
>> Jan 1 04:12:17 authpriv warn pluto[8314]: Setting NAT-Traversal
>> port-4500 floating to off
>> Jan 1 04:12:17 authpriv warn pluto[8314]: port floating activation
>> criteria nat_t=0/port_float=1
>> Jan 1 04:12:17 authpriv warn pluto[8314]: NAT-Traversal support
>> [disabled]
>> Jan 1 04:12:17 authpriv warn pluto[8314]: using /dev/urandom as
>> source of random entropy
>> Jan 1 04:12:17 daemon err ipsec__plutorun: adjusting ipsec.d
>> to /var/ipsec.d
>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_enc():
>> Activating OAKLEY_AES_CBC: Ok (ret=0)
>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_512: Ok (ret=0)
>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_256: Ok (ret=0)
>> Jan 1 04:12:17 authpriv warn pluto[8314]: starting up 1 cryptographic
>> helpers
>> Jan 1 04:12:17 authpriv warn pluto[8314]: started helper pid=8319
>> (fd:6)
>> Jan 1 04:12:17 authpriv warn pluto[8319]: using /dev/urandom as
>> source of random entropy
>> Jan 1 04:12:17 daemon err ipsec_setup: ...Openswan IPsec started
>> Jan 1 04:12:17 authpriv warn pluto[8314]: Using Linux 2.6 IPsec
>> interface code on 2.6.30 (experimental code)
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>> Activating aes_ccm_8: Ok (ret=0)
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>> algo_type '0', algo_id '0', Algorithm type already exists
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>> Activating aes_ccm_12: FAILED (ret=-17)
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>> algo_type '0', algo_id '0', Algorithm type already exists
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>> Activating aes_ccm_16: FAILED (ret=-17)
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>> algo_type '0', algo_id '0', Algorithm type already exists
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>> Activating aes_gcm_8: FAILED (ret=-17)
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>> algo_type '0', algo_id '0', Algorithm type already exists
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>> Activating aes_gcm_12: FAILED (ret=-17)
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>> algo_type '0', algo_id '0', Algorithm type already exists
>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>> Activating aes_gcm_16: FAILED (ret=-17)
>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>> directory '/var/ipsec.d/cacerts': No such file or directory
>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>> directory '/var/ipsec.d/aacerts': No such file or directory
>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>> directory '/var/ipsec.d/ocspcerts': No such file or directory
>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>> directory '/var/ipsec.d/crls': 2 No such file or directory
>> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
>> description "L2TP-PSK-NAT"
>> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
>> description "L2TP-PSK-NAT"
>> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
>> description "L2TP-PSK-noNAT"
>> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
>> description "L2TP-PSK-noNAT"
>> Jan 1 04:12:20 authpriv warn pluto[8314]: listening for IKE messages
>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
>> eth0.1/eth0.1 172.17.21.81:500
>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface br0/br0
>> 192.168.1.254:500
>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface lo/lo
>> 127.0.0.1:500
>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
>> lo/lo ::1:500
>> Jan 1 04:12:20 authpriv warn pluto[8314]: loading secrets from
>> "/var/ipsec.secrets"
>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: received Vendor ID payload [RFC 3947] meth=115, but
>> port floating is off
>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-00]
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: responding to Main Mode from unknown peer
>> 172.17.21.80
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: transition from state STATE_MAIN_R0 to state
>> STATE_MAIN_R1
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>> ISAKMP SA
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: transition from state STATE_MAIN_R1 to state
>> STATE_MAIN_R2
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.80'
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: transition from state STATE_MAIN_R2 to state
>> STATE_MAIN_R3
>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>> group=modp1024}
>> Jan 1 04:12:25 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>> ISAKMP SA
>> Jan 1 04:12:29 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>> ISAKMP SA
>> Jan 1 04:12:33 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>> ISAKMP SA
>> Jan 1 04:12:37 authpriv warn pluto[8314]: packet from
>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>> ISAKMP SA
>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>> 172.17.21.80/32:17/1701
>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>> connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>> to 172.17.21.80:500
>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>> 172.17.21.80/32:17/1701
>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>> connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>> to 172.17.21.80:500
>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>> 172.17.21.80/32:17/1701
>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>> connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>> to 172.17.21.80:500
>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>> 172.17.21.80/32:17/1701
>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>> connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>> to 172.17.21.80:500
>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>> 172.17.21.80/32:17/1701
>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>> connection is known for
>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>> to 172.17.21.80:500
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list