[strongSwan] Can not establish ipsec tunnel between racoon and strongswan(pluto)
Andreas Steffen
andreas.steffen at strongswan.org
Fri Mar 26 06:16:19 CET 2010
Hi,
just have a look at the following error message and you'll know what
to configure:
cannot respond to IPsec SA request because no connection is known for
192.168.1.159:4500[192.168.1.159]:17/1701...192.168.1.170:4500[192.168.0.4]:17/0===192.168.0.4/32
conn rw
left=192.168.1.159
leftprotoport=17/1701
leftfirewall=yes
right=%any
rightprotoport=17/0
rightsubnetwithin=192.168.0.0/24
authby=secret
auto=add
Here I assumed that all roadwarriors have an internal address in the
range 192.168.0.0/24.
Regards
Andreas
Xia Weizhong wrote:
> Hi
>
> I am trying to setting up an l2tp/ipsec tunnel between Android (which
> uses racoon 1) and my server (strong 4.3.5 + xl2tpd). Yet I met below
> errors:
>
> Mar 26 09:37:09 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1:
> NAT-Traversal: Result using RFC 3947: peer is NATed
> Mar 26 09:37:09 xia-laptop pluto[6695]: | inserting event
> EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
> Mar 26 09:37:09 xia-laptop pluto[6695]: | inserting event
> EVENT_RETRANSMIT, timeout in 10 seconds for #1
> Mar 26 09:37:09 xia-laptop pluto[6695]: | next event EVENT_RETRANSMIT in
> 10 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 228 bytes from
> 192.168.1.170:500 <http://192.168.1.170:500> on eth1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE: 04 8d e9 35 55 9d 65 a0
> Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE: 10 01 8b fc fc 8e fc d7
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer: c0 a8 01 aa
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R2
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1:
> discarding duplicate packet; already STATE_MAIN_R2
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event EVENT_RETRANSMIT in
> 0 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *time to handle event
> Mar 26 09:37:19 xia-laptop pluto[6695]: | event after this is
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:19 xia-laptop pluto[6695]: | handling event
> EVENT_RETRANSMIT for 192.168.1.170 "rw" #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | inserting event
> EVENT_RETRANSMIT, timeout in 20 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 76 bytes from
> 192.168.1.170:4500 <http://192.168.1.170:4500> on eth1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE: 04 8d e9 35 55 9d 65 a0
> Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE: 10 01 8b fc fc 8e fc d7
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer: c0 a8 01 aa
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R2
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1: Peer
> ID is ID_IPV4_ADDR: '192.168.0.4'
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer CA: %none
> Mar 26 09:37:19 xia-laptop pluto[6695]: | offered CA: %none
> Mar 26 09:37:19 xia-laptop pluto[6695]: | switched from "rw" to "rw"
> Mar 26 09:37:19 xia-laptop pluto[6695]: | instantiated "rw" for
> 192.168.1.170
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170 #1:
> deleting connection "rw" instance with peer 192.168.1.170
> {isakmp=#0/ipsec=#0}
> Mar 26 09:37:19 xia-laptop pluto[6695]: | NAT-T: new mapping
> 192.168.1.170:500/4500 <http://192.168.1.170:500/4500>)
> Mar 26 09:37:19 xia-laptop pluto[6695]: | inserting event
> EVENT_SA_REPLACE, timeout in 10530 seconds for #1
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: sent MR3, ISAKMP SA established
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:19 xia-laptop pluto[6695]: |
> Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 92 bytes from
> 192.168.1.170:4500 <http://192.168.1.170:4500> on eth1
> Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE: 04 8d e9 35 55 9d 65 a0
> Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE: 10 01 8b fc fc 8e fc d7
> Mar 26 09:37:19 xia-laptop pluto[6695]: | peer: c0 a8 01 aa
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R3
> Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: ignoring informational payload, type
> IPSEC_INITIAL_CONTACT
> Mar 26 09:37:19 xia-laptop pluto[6695]: | next event
> EVENT_NAT_T_KEEPALIVE in 10 seconds
> Mar 26 09:37:20 xia-laptop pluto[6695]: |
> Mar 26 09:37:20 xia-laptop pluto[6695]: | *received 284 bytes from
> 192.168.1.170:4500 <http://192.168.1.170:4500> on eth1
> Mar 26 09:37:20 xia-laptop pluto[6695]: | ICOOKIE: 04 8d e9 35 55 9d 65 a0
> Mar 26 09:37:20 xia-laptop pluto[6695]: | RCOOKIE: 10 01 8b fc fc 8e fc d7
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer: c0 a8 01 aa
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state object not found
> Mar 26 09:37:20 xia-laptop pluto[6695]: | ICOOKIE: 04 8d e9 35 55 9d 65 a0
> Mar 26 09:37:20 xia-laptop pluto[6695]: | RCOOKIE: 10 01 8b fc fc 8e fc d7
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer: c0 a8 01 aa
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state hash entry 30
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state object #1 found, in
> STATE_MAIN_R3
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer client is 192.168.0.4
> Mar 26 09:37:20 xia-laptop pluto[6695]: | peer client protocol/port is 17/0
> Mar 26 09:37:20 xia-laptop pluto[6695]: | our client is 192.168.1.159
> Mar 26 09:37:20 xia-laptop pluto[6695]: | our client protocol/port is
> 17/1701
> Mar 26 09:37:20 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: cannot respond to IPsec SA request
> because no connection is known for
> 192.168.1.159:4500[192.168.1.159]:17/1701...192.168.1.170:4500[192.168.0.4]:17/0===192.168.0.4/32
> <http://192.168.0.4/32>
> Mar 26 09:37:20 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500
> <http://192.168.1.170:4500> #1: sending encrypted notification
> INVALID_ID_INFORMATION to 192.168.1.170:4500 <http://192.168.1.170:4500>
> Mar 26 09:37:20 xia-laptop pluto[6695]: | state transition function for
> STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
>
>
> Can some body help me which configuration I made wrong? Below is my
> ipsec.conf
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> crlcheckinterval=180
> nat_traversal=yes
> strictcrlpolicy=no
> plutodebug=control
> charonstart=no
>
> conn %default%
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
>
> conn rw
> left=192.168.1.159
> leftsubnet=10.1.0.0/16 <http://10.1.0.0/16>
> leftfirewall=yes
> right=%any
> authby=secret
> auto=add
>
> thanks, Xia Weizhong
>
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100326/b1e60d1d/attachment.bin>
More information about the Users
mailing list