[strongSwan] cannot respond to IPsec SA request because no connection is known for...

Jeremy Beker gothmog at confusticate.com
Thu Jul 5 14:29:30 CEST 2012 

Hey folks.  After much banging of head on table, I finally got it 
working.  Here is the client config in ipsec.conf that worked.

config setup
         plutodebug=control
         crlcheckinterval=180
         strictcrlpolicy=no
         charonstart=no
         nat_traversal=yes

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev1
         authby=xauthrsasig

conn home
         left=%defaultroute
         leftcert=3mlaptop.pem
         leftid=laptop at bree
         leftfirewall=yes
         leftsourceip=%config
         right=bree
         xauth_identity=laptop at bree
         rightsubnet=0.0.0.0/0
         rightcert=serverCert.pem
         auto=start


The item that finally was required was to have "leftsourceip=%config" 
included.  While not documented easily, that seemed to be the trick to 
have the client side request its inside tunnel address from my server.

-Jeremy


On 06/29/2012 15:06, Jeremy Beker wrote:
> I am working to resolve the following error (background information
> below):
>
> ===
> cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===68.15.149.43:4500[C=US, O=Confusticate,
> CN=bree]...64.196.84.195:65211[C=US, O=Confusticate, CN=JEB
> Thinkpad]===169.15.21.170/32
> ===
>
> 'ipsec statusall' for the relevant connection is:
>
> ===
> 000 "ios": 0.0.0.0/0===68.15.149.43[C=US, O=Confusticate,
> CN=bree]---68.15.149.33...%any[%any]===%ios; unrouted; eroute owner: 
> #0
> 000 "ios":   CAs: "C=US, O=Confusticate, CN=VPN CA"...%any
> 000 "ios":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "ios":   policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio:
> 0,24; interface: p2p2;
> 000 "ios":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> ===
>
> Any help would be greatly appreciated as I can't for the life of me
> figure out what isn't matching.
>
> Thanks!
>
> -Jeremy
>
>
> Background information:
> -----------------------
>
> I have a strongSwan 4.6.4 server (bree) which is currently supporting
> several iOS clients (RSA+XAUTH) perfectly fine using the 
> configuration
> below:
>
> ===
> config setup
>          plutostart=yes
>          charonstart=no
>          nat_traversal=yes
>
> conn ios
>          keyexchange=ikev1
>          authby=xauthrsasig
>          xauth=server
>          left=%defaultroute
>          leftsubnet=0.0.0.0/0
>          leftfirewall=yes
>          leftcert=serverCert.pem
>          right=%any
>          rightsubnet=192.168.3.0/24
>          rightsourceip=192.168.3.0/24
>          pfs=no
>          auto=add
> ===
>
> I am trying to add a new client (laptop), another Linux box also
> running strongSwan 4.6.4.  It is behind a NAT.  It is using the
> following configuration:
>
> ===
> config setup
>          crlcheckinterval=180
>          strictcrlpolicy=no
>          charonstart=no
>          nat_traversal=yes
>
> conn %default
>          ikelifetime=60m
>          keylife=20m
>          rekeymargin=3m
>          keyingtries=1
>          keyexchange=ikev1
>          authby=xauthrsasig
>
> conn home
>          left=%defaultroute
>          leftcert=laptop.pem
>          xauth_identity=laptop at bree
>          leftfirewall=yes
>          right=bree
>          rightsubnet=0.0.0.0/0
>          rightcert=serverCert.pem
>          pfs=no
>          auto=add
> ===
>
> Once I get the error, if I run 'ipsec statusall' I get the following
> information:
>
> ===
> 000 "ios"[12]: 0.0.0.0/0===68.15.149.43:4500[C=US, O=Confusticate,
> CN=bree.confusticate.com]---68.15.149.33...64.196.84.195:8328[C=US,
> O=Confusticate, CN=JEB 3M Thinkpad]===%ios; unrouted; eroute owner: 
> #0
> 000 "ios"[12]:   CAs: "C=US, O=Confusticate, CN=VPN CA"...%any
> 000 "ios"[12]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "ios"[12]:   policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; 
> prio:
> 0,24; interface: p2p2;
> 000 "ios"[12]:   newest ISAKMP SA: #8; newest IPsec SA: #0;
> 000 "ios"[12]:   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_2048
> ===
>
>
>
> ---
> Jeremy Beker - gothmog at confusticate.com
> http://www.confusticate.com
> Condensing fact from the vapor of nuance.
> [Sent from roundcube]
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

---
Jeremy Beker - gothmog at confusticate.com
http://www.confusticate.com
Condensing fact from the vapor of nuance.
[Sent from roundcube]

More information about the Users mailing list