[strongSwan] cannot respond to IPsec SA request because no connection is known

Micah Anderson micah at riseup.net
Sun Jul 10 07:44:57 CEST 2011 

Hi,

For some reason that i do not understand, I'm getting: 

Jul  9 22:37:41 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: cannot respond to IPsec SA request because no connection is known for 198.252.153.38:4500[198.252.153.38]:17/1701...208.54.45.249:58920[26.164.21.104]:17/%any==={26.164.21.104/32}

My configuration is below, along with a log and the results from 'ipsec
statusall' - I would very much appreciate any pointers to what I am
missing!

thanks,
micah


config setup
  nat_traversal=yes
  charonstart=no 
  plutostart=yes
  plutodebug=control
  left=198.252.153.38

conn l2tp-psk
  authby=secret
  pfs=no
  compress=no
  rekey=no
  keyexchange=ikev1
  keyingtries=3
  type=transport
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add

Jul  9 22:37:28 kestrel pluto[3901]: Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS SMARTCARD VENDORID
Jul  9 22:37:28 kestrel pluto[3901]: listening on interfaces:
Jul  9 22:37:28 kestrel pluto[3901]:   eth0
Jul  9 22:37:28 kestrel pluto[3901]:     198.252.153.38
Jul  9 22:37:28 kestrel pluto[3901]:     fe80::216:3eff:fe9f:e58b
Jul  9 22:37:28 kestrel pluto[3901]:   eth1
Jul  9 22:37:28 kestrel pluto[3901]:     10.0.1.81
Jul  9 22:37:28 kestrel pluto[3901]:     fe80::216:3eff:fe8a:458d
Jul  9 22:37:28 kestrel pluto[3901]:   tun0
Jul  9 22:37:28 kestrel pluto[3901]:     172.27.0.1
Jul  9 22:37:28 kestrel pluto[3901]:   tun1
Jul  9 22:37:28 kestrel pluto[3901]:     172.27.100.1
Jul  9 22:37:28 kestrel pluto[3901]: loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
Jul  9 22:37:28 kestrel pluto[3901]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Jul  9 22:37:28 kestrel pluto[3901]:   including NAT-Traversal patch (Version 0.6c)
Jul  9 22:37:28 kestrel pluto[3901]: | pkcs11 module '/usr/lib/opensc-pkcs11.so' loading...
Jul  9 22:37:28 kestrel pluto[3901]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
Jul  9 22:37:28 kestrel ipsec_starter[3900]: pluto (3901) started after 20 ms
Jul  9 22:37:28 kestrel pluto[3901]: loading ca certificates from '/etc/ipsec.d/cacerts'
Jul  9 22:37:28 kestrel pluto[3901]: loading aa certificates from '/etc/ipsec.d/aacerts'
Jul  9 22:37:28 kestrel pluto[3901]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
Jul  9 22:37:28 kestrel pluto[3901]: Changing to directory '/etc/ipsec.d/crls'
Jul  9 22:37:28 kestrel pluto[3901]: loading attribute certificates from '/etc/ipsec.d/acerts'
Jul  9 22:37:28 kestrel pluto[3901]: spawning 4 worker threads
Jul  9 22:37:28 kestrel pluto[3901]: | inserting event EVENT_LOG_DAILY, timeout in 4952 seconds
Jul  9 22:37:28 kestrel pluto[3901]: | next event EVENT_REINIT_SECRET in 3600 seconds
Jul  9 22:37:28 kestrel pluto[3901]: |
Jul  9 22:37:28 kestrel pluto[3901]: | *received whack message
Jul  9 22:37:28 kestrel pluto[3901]: listening for IKE messages
Jul  9 22:37:28 kestrel pluto[3901]: | found lo with address 127.0.0.1
Jul  9 22:37:28 kestrel pluto[3901]: | found eth0 with address 198.252.153.38
Jul  9 22:37:28 kestrel pluto[3901]: | found eth1 with address 10.0.1.81
Jul  9 22:37:28 kestrel pluto[3901]: | found tun0 with address 172.27.0.1
Jul  9 22:37:28 kestrel pluto[3901]: | found tun1 with address 172.27.100.1
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun1/tun1 172.27.100.1:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun1/tun1 172.27.100.1:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun0/tun0 172.27.0.1:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun0/tun0 172.27.0.1:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth1/eth1 10.0.1.81:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth1/eth1 10.0.1.81:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth0/eth0 198.252.153.38:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth0/eth0 198.252.153.38:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface lo/lo 127.0.0.1:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface lo/lo 127.0.0.1:4500
Jul  9 22:37:28 kestrel pluto[3901]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
Jul  9 22:37:28 kestrel pluto[3901]: adding interface lo/lo ::1:500
Jul  9 22:37:28 kestrel pluto[3901]: loading secrets from "/etc/ipsec.secrets"
Jul  9 22:37:28 kestrel pluto[3901]:   loaded PSK secret for %any %any
Jul  9 22:37:28 kestrel pluto[3901]:   loaded PSK secret for 198.252.153.38 %any
Jul  9 22:37:28 kestrel pluto[3901]: | next event EVENT_REINIT_SECRET in 3600 seconds
Jul  9 22:37:28 kestrel pluto[3901]: |
Jul  9 22:37:28 kestrel pluto[3901]: | *received whack message
Jul  9 22:37:28 kestrel pluto[3901]: | from whack: got --esp=aes128-sha1,3des-sha1
Jul  9 22:37:28 kestrel pluto[3901]: | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1,
Jul  9 22:37:28 kestrel pluto[3901]: | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
Jul  9 22:37:28 kestrel pluto[3901]: | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
Jul  9 22:37:28 kestrel pluto[3901]: added connection description "l2tp-psk"
Jul  9 22:37:28 kestrel pluto[3901]: | {0.0.0.0/0}===198.252.153.38[198.252.153.38]:17/1701...%any[%any]:17/%any==={0.0.0.0/0}
Jul  9 22:37:28 kestrel pluto[3901]: | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: PSK+ENCRYPT+DONTREKEY
Jul  9 22:37:28 kestrel pluto[3901]: | next event EVENT_REINIT_SECRET in 3600 seconds
Jul  9 22:37:39 kestrel pluto[3901]: |
Jul  9 22:37:39 kestrel pluto[3901]: | *received 352 bytes from 208.54.45.249:50460 on eth0
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: received Vendor ID payload [RFC 3947]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jul  9 22:37:39 kestrel pluto[3901]: | preparse_isakmp_policy: peer requests PSK authentication
Jul  9 22:37:39 kestrel pluto[3901]: | instantiated "l2tp-psk" for 208.54.45.249
Jul  9 22:37:39 kestrel pluto[3901]: | creating state object #1 at 0xb94cefd0
Jul  9 22:37:39 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:39 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:39 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:39 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:39 kestrel pluto[3901]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Jul  9 22:37:39 kestrel pluto[3901]: "l2tp-psk"[1] 208.54.45.249:50460 #1: responding to Main Mode from unknown peer 208.54.45.249:50460
Jul  9 22:37:39 kestrel pluto[3901]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Jul  9 22:37:39 kestrel pluto[3901]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: |
Jul  9 22:37:40 kestrel pluto[3901]: | *received 228 bytes from 208.54.45.249:50460 on eth0
Jul  9 22:37:40 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:40 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:40 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:40 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:40 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R1
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[1] 208.54.45.249:50460 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
Jul  9 22:37:40 kestrel pluto[3901]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Jul  9 22:37:40 kestrel pluto[3901]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: |
Jul  9 22:37:40 kestrel pluto[3901]: | *received 76 bytes from 208.54.45.249:58920 on eth0
Jul  9 22:37:40 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:40 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:40 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:40 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:40 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R2
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[1] 208.54.45.249:50460 #1: Peer ID is ID_IPV4_ADDR: '26.164.21.104'
Jul  9 22:37:40 kestrel pluto[3901]: | peer CA:      %none
Jul  9 22:37:40 kestrel pluto[3901]: | offered CA:   %none
Jul  9 22:37:40 kestrel pluto[3901]: | switched from "l2tp-psk" to "l2tp-psk"
Jul  9 22:37:40 kestrel pluto[3901]: | instantiated "l2tp-psk" for 208.54.45.249
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:50460 #1: deleting connection "l2tp-psk" instance with peer 208.54.45.249 {isakmp=#0/ipsec=#0}
Jul  9 22:37:40 kestrel pluto[3901]: | NAT-T: new mapping 208.54.45.249:50460/58920)
Jul  9 22:37:40 kestrel pluto[3901]: | inserting event EVENT_SA_EXPIRE, timeout in 28800 seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: sent MR3, ISAKMP SA established
Jul  9 22:37:40 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
Jul  9 22:37:40 kestrel pluto[3901]: |
Jul  9 22:37:40 kestrel pluto[3901]: | *received 92 bytes from 208.54.45.249:58920 on eth0
Jul  9 22:37:40 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:40 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:40 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:40 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:40 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R3
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jul  9 22:37:40 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
Jul  9 22:37:41 kestrel pluto[3901]: |
Jul  9 22:37:41 kestrel pluto[3901]: | *received 284 bytes from 208.54.45.249:58920 on eth0
Jul  9 22:37:41 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:41 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:41 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:41 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:41 kestrel pluto[3901]: | state object not found
Jul  9 22:37:41 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:41 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:41 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:41 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:41 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R3
Jul  9 22:37:41 kestrel pluto[3901]: | peer client is 26.164.21.104
Jul  9 22:37:41 kestrel pluto[3901]: | peer client protocol/port is 17/0
Jul  9 22:37:41 kestrel pluto[3901]: | our client is 198.252.153.38
Jul  9 22:37:41 kestrel pluto[3901]: | our client protocol/port is 17/1701
Jul  9 22:37:41 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: cannot respond to IPsec SA request because no connection is known for 198.252.153.38:4500[198.252.153.38]:17/1701...208.54.45.249:58920[26.164.21.104]:17/%any==={26.164.21.104/32}
Jul  9 22:37:41 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: sending encrypted notification INVALID_ID_INFORMATION to 208.54.45.249:58920
Jul  9 22:37:41 kestrel pluto[3901]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
Jul  9 22:37:41 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 19 seconds
Jul  9 22:37:51 kestrel pluto[3901]: |
Jul  9 22:37:51 kestrel pluto[3901]: | *received 284 bytes from 208.54.45.249:58920 on eth0
Jul  9 22:37:51 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:51 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:51 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:51 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:51 kestrel pluto[3901]: | state object not found
Jul  9 22:37:51 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:51 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:51 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:51 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:51 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R3
Jul  9 22:37:51 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x49f91a9d (perhaps this is a duplicated packet)
Jul  9 22:37:51 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: sending encrypted notification INVALID_MESSAGE_ID to 208.54.45.249:58920
Jul  9 22:37:51 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 9 seconds

root at kestrel:/var/log# ipsec statusall
Jul  9 22:37:57 kestrel pluto[3901]: |
Jul  9 22:37:57 kestrel pluto[3901]: | *received whack message
Jul  9 22:37:57 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 3 seconds
000 Status of IKEv1 pluto daemon (strongSwan 4.5.0):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 198.252.153.38:4500
000 interface eth0/eth0 198.252.153.38:500
000 interface eth1/eth1 10.0.1.81:4500
000 interface eth1/eth1 10.0.1.81:500
000 interface tun0/tun0 172.27.0.1:4500
000 interface tun0/tun0 172.27.0.1:500
000 interface tun1/tun1 172.27.100.1:4500
000 interface tun1/tun1 172.27.100.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: control
000
000 "l2tp-psk": {0.0.0.0/0}===198.252.153.38[198.252.153.38]:17/1701...%any[%any]:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
000 "l2tp-psk":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "l2tp-psk":   policy: PSK+ENCRYPT+DONTREKEY; prio: 0,0; interface: eth0;
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk"[2]: {0.0.0.0/0}===198.252.153.38:4500[198.252.153.38]:17/1701...208.54.45.249:58920[26.164.21.104]:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
000 "l2tp-psk"[2]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "l2tp-psk"[2]:   policy: PSK+ENCRYPT+DONTREKEY; prio: 0,0; interface: eth0;
000 "l2tp-psk"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "l2tp-psk"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000
000 #1: "l2tp-psk"[2] 208.54.45.249:58920 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28783s; newest ISAKMP
000

-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110710/9f09bdca/attachment.pgp>

More information about the Users mailing list