[strongSwan] cannot respond to IPsec SA request because no connection is known
Ben Beuchler
insyte at gmail.com
Fri Aug 17 00:17:06 CEST 2012
> Please try 5.0.0 as the pluto IKEv1 daemon of earlier releases has
> problems when it is behind a NAT (even 1:1) as responder.
Thanks. I have compiled and installed 5.0.0 with the ipsec.conf
included below. Now I have a new and exciting failure mode:
Aug 16 17:14:52 vpn0 charon: 12[IKE] received DPD vendor ID
Aug 16 17:14:52 vpn0 charon: 12[IKE] 209.240.75.80 is initiating a
Main Mode IKE_SA
Aug 16 17:14:52 vpn0 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
Aug 16 17:14:52 vpn0 charon: 12[NET] sending packet: from
10.1.0.7[500] to 209.240.75.80[500]
Aug 16 17:14:52 vpn0 charon: 13[NET] received packet: from
209.240.75.80[500] to 10.1.0.7[500]
Aug 16 17:14:52 vpn0 charon: 13[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Aug 16 17:14:52 vpn0 charon: 13[IKE] local host is behind NAT, sending
keep alives
Aug 16 17:14:52 vpn0 charon: 13[IKE] remote host is behind NAT
Aug 16 17:14:52 vpn0 charon: 13[ENC] generating ID_PROT response 0 [
KE No NAT-D NAT-D ]
Aug 16 17:14:52 vpn0 charon: 13[NET] sending packet: from
10.1.0.7[500] to 209.240.75.80[500]
Aug 16 17:14:52 vpn0 charon: 14[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:14:52 vpn0 charon: 14[ENC] parsed ID_PROT request 0 [ ID
HASH N(INITIAL_CONTACT) ]
Aug 16 17:14:52 vpn0 charon: 14[CFG] looking for pre-shared key peer
configs matching 10.1.0.7...209.240.75.80[192.168.22.94]
Aug 16 17:14:52 vpn0 charon: 14[CFG] selected peer config "L2TP"
Aug 16 17:14:52 vpn0 charon: 14[IKE] IKE_SA L2TP[1] established
between 10.1.0.7[%any]...209.240.75.80[192.168.22.94]
Aug 16 17:14:52 vpn0 charon: 14[ENC] generating ID_PROT response 0 [ ID HASH ]
Aug 16 17:14:52 vpn0 charon: 14[NET] sending packet: from
10.1.0.7[4500] to 209.240.75.80[4500]
Aug 16 17:14:53 vpn0 charon: 16[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:14:53 vpn0 charon: 16[ENC] parsed QUICK_MODE request
2351128338 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 16 17:14:53 vpn0 charon: 16[IKE] no matching CHILD_SA config found
Aug 16 17:14:53 vpn0 charon: 16[ENC] generating INFORMATIONAL_V1
request 109923532 [ HASH N(INVAL_ID) ]
Aug 16 17:14:53 vpn0 charon: 16[NET] sending packet: from
10.1.0.7[4500] to 209.240.75.80[4500]
Aug 16 17:14:56 vpn0 charon: 02[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:14:56 vpn0 charon: 02[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:14:59 vpn0 charon: 01[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:02 vpn0 charon: 11[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:02 vpn0 charon: 11[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:15:05 vpn0 charon: 10[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:05 vpn0 charon: 10[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:15:08 vpn0 charon: 12[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:08 vpn0 charon: 12[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
Aug 16 17:15:11 vpn0 charon: 13[NET] received packet: from
209.240.75.80[4500] to 10.1.0.7[4500]
Aug 16 17:15:11 vpn0 charon: 13[IKE] received retransmit of request
with ID 2351128338, but no response to retransmit
This continues until the OS X client (NAT'd behind 209.204.75.80) gives up.
I assume I'm still missing some vital config option. Any idea what
that might be?
Thanks!
-Ben
## ipsec.conf
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
# plutostart=no
conn L2TP
authby=psk
esp=aes128-sha1
ike=aes128-sha-modp1024
left=%defaultroute
right=%any
rightprotoport=17/%any
leftprotoport=17/1701
rekey=no
type=tunnel
auto=add
More information about the Users
mailing list