[strongSwan] Can not establish ipsec tunnel between racoon and strongswan(pluto)

Andreas Steffen andreas.steffen at strongswan.org
Fri Mar 26 06:16:19 CET 2010 

Hi,
just have a look at the following error message and you'll know what
to configure:

cannot respond to IPsec SA request because no connection is known for
192.168.1.159:4500[192.168.1.159]:17/1701...192.168.1.170:4500[192.168.0.4]:17/0===192.168.0.4/32

conn rw
    left=192.168.1.159
    leftprotoport=17/1701
    leftfirewall=yes
    right=%any
    rightprotoport=17/0
    rightsubnetwithin=192.168.0.0/24
    authby=secret
    auto=add

Here I assumed that all roadwarriors have an internal address in the
range 192.168.0.0/24.

Regards

Andreas

Xia Weizhong wrote:
> Hi
> 
> I am trying to setting up an l2tp/ipsec tunnel between Android (which
> uses racoon 1) and my server (strong 4.3.5 + xl2tpd). Yet I met below
> errors:
> 
> Mar 26 09:37:09 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1:
> NAT-Traversal: Result using RFC 3947: peer is NATed
> Mar 26 09:37:09 xia-laptop pluto[6695]: | inserting event
> EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
> Mar 26 09:37:09 xia-laptop pluto[6695]: | inserting event
> EVENT_RETRANSMIT, timeout in 10 seconds for #1
> Mar 26 09:37:09 xia-laptop pluto[6695]: | next event EVENT_RETRANSMIT in
> 10 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 228 bytes from
> 192.168.1.170:500 <http://192.168.1.170:500> on eth1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
> Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R2
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1:
> discarding duplicate packet; already STATE_MAIN_R2
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event EVENT_RETRANSMIT in
> 0 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *time to handle event
> Mar 26 09:37:19 xia-laptop pluto[6695]: | event after this is
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:19 xia-laptop pluto[6695]: | handling event
> EVENT_RETRANSMIT for 192.168.1.170 "rw" #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | inserting event
> EVENT_RETRANSMIT, timeout in 20 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 76 bytes from
> 192.168.1.170:4500 <http://192.168.1.170:4500> on eth1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
> Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R2
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1: Peer
> ID is ID_IPV4_ADDR: '192.168.0.4'
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer CA:      %none
> Mar 26 09:37:19 xia-laptop pluto[6695]: | offered CA:   %none
> Mar 26 09:37:19 xia-laptop pluto[6695]: | switched from "rw" to "rw"
> Mar 26 09:37:19 xia-laptop pluto[6695]: | instantiated "rw" for
> 192.168.1.170
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170 #1:
> deleting connection "rw" instance with peer 192.168.1.170
> {isakmp=#0/ipsec=#0}
> Mar 26 09:37:19 xia-laptop pluto[6695]: | NAT-T: new mapping
> 192.168.1.170:500/4500 <http://192.168.1.170:500/4500>)
> Mar 26 09:37:19 xia-laptop pluto[6695]: | inserting event
> EVENT_SA_REPLACE, timeout in 10530 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: sent MR3, ISAKMP SA established
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 92 bytes from
> 192.168.1.170:4500 <http://192.168.1.170:4500> on eth1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
> Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R3
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: ignoring informational payload, type
> IPSEC_INITIAL_CONTACT
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:20 xia-laptop pluto[6695]: |
> Mar 26 09:37:20 xia-laptop pluto[6695]: | *received 284 bytes from
> 192.168.1.170:4500 <http://192.168.1.170:4500> on eth1
> Mar 26 09:37:20 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
> Mar 26 09:37:20 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state object not found
> Mar 26 09:37:20 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
> Mar 26 09:37:20 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R3
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer client is 192.168.0.4
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer client protocol/port is 17/0
> Mar 26 09:37:20 xia-laptop pluto[6695]: | our client is 192.168.1.159
> Mar 26 09:37:20 xia-laptop pluto[6695]: | our client protocol/port is
> 17/1701
> Mar 26 09:37:20 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: cannot respond to IPsec SA request
> because no connection is known for
> 192.168.1.159:4500[192.168.1.159]:17/1701...192.168.1.170:4500[192.168.0.4]:17/0===192.168.0.4/32
> <http://192.168.0.4/32>
> Mar 26 09:37:20 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: sending encrypted notification
> INVALID_ID_INFORMATION to 192.168.1.170:4500 <http://192.168.1.170:4500>
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state transition function for
> STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
> 
> 
> Can some body help me which configuration I made wrong? Below is my
> ipsec.conf
> 
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
>         crlcheckinterval=180
>         nat_traversal=yes
>         strictcrlpolicy=no
>         plutodebug=control
>         charonstart=no
> 
> conn  %default%
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
> 
> conn rw
>     left=192.168.1.159
>     leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
>     leftfirewall=yes
>     right=%any
>     authby=secret
>     auto=add
> 
> thanks, Xia Weizhong
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100326/b1e60d1d/attachment.bin>

More information about the Users mailing list