[strongSwan] cannot respond to IPsec SA request because no connection is known
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Sat Jul 16 06:49:58 CEST 2011
First of all, I had a look at the config you sent with your first
e-mail: You can't have a "left=198.252.153.38" under the "config setup"
section. You probably want to put that under "conn %default".
>>> For some reason that i do not understand, I'm getting:
>>>
>>> Jul 9 22:37:41 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: cannot respond to IPsec SA request because no connection is known for 198.252.153.38:4500[198.252.153.38]:17/1701...208.54.45.249:58920[26.164.21.104]:17/%any==={26.164.21.104/32}
Ok. So that's the error message you're getting. Compare this connection
description with the output of "ipsec statusall" you sent with your
first e-mail:
000 "l2tp-psk":
{0.0.0.0/0}===198.252.153.38[198.252.153.38]:17/1701...%any[%any]:17/%any==={0.0.0.0/0};
unrouted; eroute owner: #0
For some reason I don't really understand, pluto says that you
configured a local and remote subnet of 0.0.0.0/0.
Second, your peer is sending the IP address 26.164.21.104 as its ID.
However, strongSwan expects the ID to be the same as the IP address from
which it receives the IKE packets. You could fix that with
rightid=26.164.21.104
or you could change the peer's config in such a way that it sends an ID
that matches its IP address.
When I add your connection description to /etc/ipsec.conf on my machine,
then this is the output I get from "ipsec statusall":
000 "l2tp-psk":
172.21.147.3[172.21.147.3]:17/1701---172.21.147.1...%any[%any]:17/%any;
unrouted; eroute owner: #0
This is different from your output in the sense that it doesn't specify
the 0.0.0.0/0 subnets.
Please post your complete /etc/ipsec.conf file to make sure that we're
on the same page.
-Daniel
More information about the Users
mailing list