[strongSwan] cannot respond to IPsec SA request because no connection is known for...

Jeremy Beker gothmog at confusticate.com
Fri Jun 29 21:06:29 CEST 2012 

I am working to resolve the following error (background information 
below):

===
cannot respond to IPsec SA request because no connection is known for 
0.0.0.0/0===68.15.149.43:4500[C=US, O=Confusticate, 
CN=bree]...64.196.84.195:65211[C=US, O=Confusticate, CN=JEB 
Thinkpad]===169.15.21.170/32
===

'ipsec statusall' for the relevant connection is:

===
000 "ios": 0.0.0.0/0===68.15.149.43[C=US, O=Confusticate, 
CN=bree]---68.15.149.33...%any[%any]===%ios; unrouted; eroute owner: #0
000 "ios":   CAs: "C=US, O=Confusticate, CN=VPN CA"...%any
000 "ios":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "ios":   policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio: 
0,24; interface: p2p2;
000 "ios":   newest ISAKMP SA: #0; newest IPsec SA: #0;
===

Any help would be greatly appreciated as I can't for the life of me 
figure out what isn't matching.

Thanks!

-Jeremy


Background information:
-----------------------

I have a strongSwan 4.6.4 server (bree) which is currently supporting 
several iOS clients (RSA+XAUTH) perfectly fine using the configuration 
below:

===
config setup
         plutostart=yes
         charonstart=no
         nat_traversal=yes

conn ios
         keyexchange=ikev1
         authby=xauthrsasig
         xauth=server
         left=%defaultroute
         leftsubnet=0.0.0.0/0
         leftfirewall=yes
         leftcert=serverCert.pem
         right=%any
         rightsubnet=192.168.3.0/24
         rightsourceip=192.168.3.0/24
         pfs=no
         auto=add
===

I am trying to add a new client (laptop), another Linux box also 
running strongSwan 4.6.4.  It is behind a NAT.  It is using the 
following configuration:

===
config setup
         crlcheckinterval=180
         strictcrlpolicy=no
         charonstart=no
         nat_traversal=yes

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev1
         authby=xauthrsasig

conn home
         left=%defaultroute
         leftcert=laptop.pem
         xauth_identity=laptop at bree
         leftfirewall=yes
         right=bree
         rightsubnet=0.0.0.0/0
         rightcert=serverCert.pem
         pfs=no
         auto=add
===

Once I get the error, if I run 'ipsec statusall' I get the following 
information:

===
000 "ios"[12]: 0.0.0.0/0===68.15.149.43:4500[C=US, O=Confusticate, 
CN=bree.confusticate.com]---68.15.149.33...64.196.84.195:8328[C=US, 
O=Confusticate, CN=JEB 3M Thinkpad]===%ios; unrouted; eroute owner: #0
000 "ios"[12]:   CAs: "C=US, O=Confusticate, CN=VPN CA"...%any
000 "ios"[12]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 3
000 "ios"[12]:   policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio: 
0,24; interface: p2p2;
000 "ios"[12]:   newest ISAKMP SA: #8; newest IPsec SA: #0;
000 "ios"[12]:   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_2048
===



---
Jeremy Beker - gothmog at confusticate.com
http://www.confusticate.com
Condensing fact from the vapor of nuance.
[Sent from roundcube]

More information about the Users mailing list