[strongSwan] cannot respond to IPsec SA request because no connection is known

Fri Aug 17 00:17:06 CEST 2012

> Please try 5.0.0 as the pluto IKEv1 daemon of earlier releases has
> problems when it is behind a NAT (even 1:1) as responder.

Thanks.  I have compiled and installed 5.0.0 with the ipsec.conf
included below.  Now I have a new and exciting failure mode:

Aug 16 17:14:52 vpn0 charon: 12[IKE] received DPD vendor ID
Aug 16 17:14:52 vpn0 charon: 12[IKE] 209.240.75.80 is initiating a
Main Mode IKE_SA
Aug 16 17:14:52 vpn0 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
Aug 16 17:14:52 vpn0 charon: 12[NET] sending packet: from
10.1.0.7[500] to 209.240.75.80[500]
Aug 16 17:14:52 vpn0 charon: 13[NET] received packet: from
209.240.75.80[500] to 10.1.0.7[500]
Aug 16 17:14:52 vpn0 charon: 13[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Aug 16 17:14:52 vpn0 charon: 13[IKE] local host is behind NAT, sending
keep alives
Aug 16 17:14:52 vpn0 charon: 13[IKE] remote host is behind NAT
Aug 16 17:14:52 vpn0 charon: 13[ENC] generating ID_PROT response 0 [
KE No NAT-D NAT-D ]
Aug 16 17:14:52 vpn0 charon: 13[NET] sending packet: from
10.1.0.7[500] to 209.240.75.80[500]
Aug 16 17:14:52 vpn0 charon: 14[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:14:52 vpn0 charon: 14[ENC] parsed ID_PROT request 0 [ ID
HASH N(INITIAL_CONTACT) ]
Aug 16 17:14:52 vpn0 charon: 14[CFG] looking for pre-shared key peer
configs matching 10.1.0.7...209.240.75.80[192.168.22.94]
Aug 16 17:14:52 vpn0 charon: 14[CFG] selected peer config "L2TP"
Aug 16 17:14:52 vpn0 charon: 14[IKE] IKE_SA L2TP[1] established
between 10.1.0.7[%any]...209.240.75.80[192.168.22.94]
Aug 16 17:14:52 vpn0 charon: 14[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug 16 17:14:52 vpn0 charon: 14[NET] sending packet: from
10.1.0.7[4500] to 209.240.75.80[4500]
Aug 16 17:14:53 vpn0 charon: 16[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:14:53 vpn0 charon: 16[ENC] parsed QUICK_MODE request
2351128338 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 16 17:14:53 vpn0 charon: 16[IKE] no matching CHILD_SA config found
Aug 16 17:14:53 vpn0 charon: 16[ENC] generating INFORMATIONAL_V1
request 109923532 [ HASH N(INVAL_ID) ]
Aug 16 17:14:53 vpn0 charon: 16[NET] sending packet: from
10.1.0.7[4500] to 209.240.75.80[4500]
Aug 16 17:14:56 vpn0 charon: 02[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:14:56 vpn0 charon: 02[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:14:59 vpn0 charon: 01[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:02 vpn0 charon: 11[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:02 vpn0 charon: 11[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:15:05 vpn0 charon: 10[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:05 vpn0 charon: 10[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:15:08 vpn0 charon: 12[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:08 vpn0 charon: 12[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:15:11 vpn0 charon: 13[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:11 vpn0 charon: 13[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit

This continues until the OS X client (NAT'd behind 209.204.75.80) gives up.

I assume I'm still missing some vital config option.  Any idea what
that might be?

Thanks!

-Ben

## ipsec.conf
config setup
	# plutodebug=all
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	# nat_traversal=yes
	# charonstart=no
	# plutostart=no

conn L2TP
    authby=psk
    esp=aes128-sha1
    ike=aes128-sha-modp1024
    left=%defaultroute
    right=%any
    rightprotoport=17/%any
    leftprotoport=17/1701
    rekey=no
    type=tunnel
    auto=add