[Openswan Users] L2TP/IPSec can not work.
Willie Gillespie
wgillespie+openswan at es2eng.com
Fri Mar 15 15:12:11 UTC 2013
Just a stab in the dark, but do you have a matching secret in your
secrets file?
On 3/14/2013 3:11 AM, Ozai wrote:
> Hi Bob,
>
> I added left/rightsubnet into ipsec.conf.But I got the same result.
>
> Do you have idea on "cannot respond to IPsec SA request because no
> connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>"?
>
> Thank's a lot.
>
> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
> 172.17.21.80:500: received Vendor ID payload [RFC 3947] meth=115, but
> port floating is off
> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
> 172.17.21.80:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
> 172.17.21.80:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> Jan 1 02:02:52 authpriv warn pluto[10367]: packet from
> 172.17.21.80:500: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: responding to
> Main Mode
> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: Oakley Transform
> [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due
> to strict flag
> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: transition from
> state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 1 02:02:52 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R1:
> sent MR1, expecting MI2
> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R2:
> sent MR2, expecting MI3
> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: Main mode peer
> ID is ID_IPV4_ADDR: '172.17.21.80'
> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 1 02:02:53 authpriv warn pluto[10367]: "l2tp" #15: STATE_MAIN_R3:
> sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: the peer
> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
> Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
> to IPsec SA request because no connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 02:02:54 authpriv warn pluto[10367]: "l2tp" #15: sending
> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
> Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: the peer
> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
> Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
> to IPsec SA request because no connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 02:02:58 authpriv warn pluto[10367]: "l2tp" #15: sending
> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
> Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: the peer
> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
> Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
> to IPsec SA request because no connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 02:03:02 authpriv warn pluto[10367]: "l2tp" #15: sending
> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
> Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: the peer
> proposed: 172.17.21.81/32:17/1701 -> 172.17.21.80/32:17/1701
> Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: cannot respond
> to IPsec SA request because no connection is known for
> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
> Jan 1 02:03:07 authpriv warn pluto[10367]: "l2tp" #15: sending
> encrypted notification INVALID_ID_INFORMATION to 172.17.21.80:500
>
> Best Regards,
> Ozai
> ----- Original Message ----- From: "Bob Miller" <bob at computerisms.ca>
> To: <users at lists.openswan.org>
> Sent: Friday, March 08, 2013 2:10 AM
> Subject: Re: [Openswan Users] L2TP/IPSec can not work.
>
>
>> Hello,
>>
>>>
>>> # cat ipsec.conf
>>> config setup
>>> nat_traversal=no
>>> oe=off
>>> protostack=netkey
>>> interfaces=%defaultroute
>>>
>>> conn L2TP-PSK-NAT
>>> rightsubnet=vhost:%no,%priv
>>
>> In order to use this you need to have virtual_private configured above,
>> but given your topology you won't be needing NAT, so this stanza seems
>> pointless.
>>
>>> also=L2TP-PSK-noNAT
>>>
>>> conn L2TP-PSK-noNAT
>>> left=172.17.21.81
>>> leftprotoport=17/1701
>>> rightprotoport=17/1701
>>> right=172.17.21.80
>>
>> try adding left/rightsubnet to this stanza, these settings are not
>> describing enough of the network for openswan to figure out which
>> traffic needs to go through the tunnel.
>>
>>
>>
>>
>>
>>> pfs=no
>>> keylife=1h
>>> keyingtries=3
>>> rekey=no
>>> ikelifetime=60m
>>> type=transport
>>> authby=secret
>>> auto=add
>>> #
>>> Jan 1 04:12:15 daemon err ipsec_setup: Starting Openswan IPsec
>>> U2.6.38/K2.6.30...
>>> Jan 1 04:12:15 daemon err ipsec_setup: Using NETKEY(XFRM) stack
>>> Jan 1 04:12:17 authpriv err ipsec__plutorun: Starting Pluto
>>> subsystem...
>>> Jan 1 04:12:17 user warn syslog: adjusting ipsec.d to /var/ipsec.d
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: LEAK_DETECTIVE support
>>> [disabled]
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: OCF support for IKE
>>> [disabled]
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: NSS support [disabled]
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: HAVE_STATSD notification
>>> support not compiled in
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: Setting NAT-Traversal
>>> port-4500 floating to off
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: port floating activation
>>> criteria nat_t=0/port_float=1
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: NAT-Traversal support
>>> [disabled]
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: using /dev/urandom as
>>> source of random entropy
>>> Jan 1 04:12:17 daemon err ipsec__plutorun: adjusting ipsec.d
>>> to /var/ipsec.d
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_enc():
>>> Activating OAKLEY_AES_CBC: Ok (ret=0)
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
>>> Activating OAKLEY_SHA2_512: Ok (ret=0)
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: ike_alg_register_hash():
>>> Activating OAKLEY_SHA2_256: Ok (ret=0)
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: starting up 1 cryptographic
>>> helpers
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: started helper pid=8319
>>> (fd:6)
>>> Jan 1 04:12:17 authpriv warn pluto[8319]: using /dev/urandom as
>>> source of random entropy
>>> Jan 1 04:12:17 daemon err ipsec_setup: ...Openswan IPsec started
>>> Jan 1 04:12:17 authpriv warn pluto[8314]: Using Linux 2.6 IPsec
>>> interface code on 2.6.30 (experimental code)
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>> Activating aes_ccm_8: Ok (ret=0)
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>> algo_type '0', algo_id '0', Algorithm type already exists
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>> Activating aes_ccm_12: FAILED (ret=-17)
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>> algo_type '0', algo_id '0', Algorithm type already exists
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>> Activating aes_ccm_16: FAILED (ret=-17)
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>> algo_type '0', algo_id '0', Algorithm type already exists
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>> Activating aes_gcm_8: FAILED (ret=-17)
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>> algo_type '0', algo_id '0', Algorithm type already exists
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>> Activating aes_gcm_12: FAILED (ret=-17)
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_add(): ERROR:
>>> algo_type '0', algo_id '0', Algorithm type already exists
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: ike_alg_register_enc():
>>> Activating aes_gcm_16: FAILED (ret=-17)
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>> directory '/var/ipsec.d/cacerts': No such file or directory
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>> directory '/var/ipsec.d/aacerts': No such file or directory
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>> directory '/var/ipsec.d/ocspcerts': No such file or directory
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: Could not change to
>>> directory '/var/ipsec.d/crls': 2 No such file or directory
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
>>> description "L2TP-PSK-NAT"
>>> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
>>> description "L2TP-PSK-NAT"
>>> Jan 1 04:12:19 authpriv warn pluto[8314]: added connection
>>> description "L2TP-PSK-noNAT"
>>> Jan 1 04:12:19 daemon err ipsec__plutorun: 002 added connection
>>> description "L2TP-PSK-noNAT"
>>> Jan 1 04:12:20 authpriv warn pluto[8314]: listening for IKE messages
>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
>>> eth0.1/eth0.1 172.17.21.81:500
>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface br0/br0
>>> 192.168.1.254:500
>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface lo/lo
>>> 127.0.0.1:500
>>> Jan 1 04:12:20 authpriv warn pluto[8314]: adding interface
>>> lo/lo ::1:500
>>> Jan 1 04:12:20 authpriv warn pluto[8314]: loading secrets from
>>> "/var/ipsec.secrets"
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: received Vendor ID payload [RFC 3947] meth=115, but
>>> port floating is off
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: ignoring Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-00]
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: responding to Main Mode from unknown peer
>>> 172.17.21.80
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: transition from state STATE_MAIN_R0 to state
>>> STATE_MAIN_R1
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>> ISAKMP SA
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: transition from state STATE_MAIN_R1 to state
>>> STATE_MAIN_R2
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.80'
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: transition from state STATE_MAIN_R2 to state
>>> STATE_MAIN_R3
>>> Jan 1 04:12:21 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>>> group=modp1024}
>>> Jan 1 04:12:25 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>> ISAKMP SA
>>> Jan 1 04:12:29 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>> ISAKMP SA
>>> Jan 1 04:12:33 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>> ISAKMP SA
>>> Jan 1 04:12:37 authpriv warn pluto[8314]: packet from
>>> 172.17.21.80:500: Quick Mode message is for a non-existent (expired?)
>>> ISAKMP SA
>>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>> 172.17.21.80/32:17/1701
>>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>> connection is known for
>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>> Jan 1 04:12:41 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>> to 172.17.21.80:500
>>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>> 172.17.21.80/32:17/1701
>>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>> connection is known for
>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>> Jan 1 04:12:45 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>> to 172.17.21.80:500
>>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>> 172.17.21.80/32:17/1701
>>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>> connection is known for
>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>> Jan 1 04:12:49 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>> to 172.17.21.80:500
>>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>> 172.17.21.80/32:17/1701
>>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>> connection is known for
>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>> Jan 1 04:12:53 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>> to 172.17.21.80:500
>>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: the peer proposed: 172.17.21.81/32:17/1701 ->
>>> 172.17.21.80/32:17/1701
>>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: cannot respond to IPsec SA request because no
>>> connection is known for
>>> 172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21.80>
>>> Jan 1 04:12:57 authpriv warn pluto[8314]: "L2TP-PSK-NAT"[1]
>>> 172.17.21.80 #1: sending encrypted notification INVALID_ID_INFORMATION
>>> to 172.17.21.80:500
>>>
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list