freeswan-1.99: cannot respond to IPsec SA
Hi all, Due to troubles with freeswan-2.04_1.4.8-12 I try to use freeswan-1.99_0.9.34-80 (www.suse.de/~garloff/linux/FreeSWAN/). /---------------\ /---------------\ /---------------\ /---------------\ | Linux 2.4.19 | | Speed Touch | | W-Lan Router | | WINX W2k | | 62.210.20.146 |<----| 62.210.20.145 |<----| WAN-IP: |<---| W-LAN-IP: | | SuSE 9.0 | | No NAT at all | | 213.39.205.80 | | 192.168.1.99 | \---------------/ \---------------/ \---------------/ \---------------/ VPN-Server: SuSE 9.0, SpeedTouch: static IP, freeswan-1.99_0.9.34-80 <snip v/l/m> vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: cannot respond to IPsec SA request because no connection is known for 62.206.19.146[C=DE, ST=Hamburg, L=Hamburg, CN=<Admin CN>]:17/0...213.39.205.80[C=DE, ST=Koeln, CN=<User CN>]:17/1701==={192.168.1.99/32} vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: sending encrypted notification INVALID_ID_INFORMATION to 213.39.205.80:500 vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xee13aa39 (perhaps this is a duplicated packet) vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: sending encrypted notification INVALID_MESSAGE_ID to 213.39.205.80:500 vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xee13aa39 (perhaps this is a duplicated packet) vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: sending encrypted notification INVALID_MESSAGE_ID to 213.39.205.80:500 vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xee13aa39 (perhaps this is a duplicated packet) vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: sending encrypted notification INVALID_MESSAGE_ID to 213.39.205.80:500 vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: received Delete SA payload: deleting ISAKMP State #2 vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80: deleting connection "w2k-client" instance with peer 213.39.205.80 <snap v/l/m> What do I need to change in ipsec.conf to make it run? I donn't understand the first error. What is wrong with my ipsec.conf? If you need any more information, I'll be glad to provide it !! Thanks in advance. <snip ipsec.conf> config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn w2k-client left=62.210.20.146 leftnexthop=62.210.20.145 leftrsasigkey=%cert leftcert=gatecert.pem leftprotoport=17/0 right=%any rightrsasigkey=%cert pfs=no rightsubnet=192.168.1.99/32 rightprotoport=17/1701 keyingtries=0 disablearrivalcheck=no auto=add <snap : ipsec.conf>
Hi Dennis, comments inline, but I'm doing this from memory, 'cause I'm not at the site(s) where my freeswan(s) are sitting ... Dennis Leist schrieb:
Hi all,
Due to troubles with freeswan-2.04_1.4.8-12 I try to use freeswan-1.99_0.9.34-80 (www.suse.de/~garloff/linux/FreeSWAN/).
/---------------\ /---------------\ /---------------\ /---------------\ | Linux 2.4.19 | | Speed Touch | | W-Lan Router | | WINX W2k | | 62.210.20.146 |<----| 62.210.20.145 |<----| WAN-IP: |<---| W-LAN-IP: | | SuSE 9.0 | | No NAT at all | | 213.39.205.80 | | 192.168.1.99 | \---------------/ \---------------/ \---------------/ \---------------/
VPN-Server: SuSE 9.0, SpeedTouch: static IP, freeswan-1.99_0.9.34-80
<snip v/l/m> vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: cannot respond to IPsec SA request because no connection is known for 62.206.19.146[C=DE, ST=Hamburg, L=Hamburg, CN=<Admin CN>]:17/0...213.39.205.80[C=DE, ST=Koeln, CN=<User CN>]:17/1701==={192.168.1.99/32}
- SNIP - I think this is the main problem: no connection is known for the partner
<snip ipsec.conf> I assume this is conf of vpn-server, what is conf of the other side ?
-SNIP-
conn w2k-client left=62.210.20.146 leftnexthop=62.210.20.145 leftrsasigkey=%cert leftcert=gatecert.pem leftprotoport=17/0
why using this defintion ? never used / needed this one
right=%any
this is definitely wrong, as you are using fixed IPs, put here 192.168.1.99
rightrsasigkey=%cert pfs=no
try pfs=yes
rightsubnet=192.168.1.99/32
this is defining a net BEHIND the gateway 192.168.1.99/32, which is nonsense for a /32 mask remove this entry completely
rightprotoport=17/1701
again: do you need this ?
keyingtries=0 disablearrivalcheck=no
try using yes
auto=add <snap : ipsec.conf>
HTH, good luck, Philipp Rusch
Hi again, looked over it, found another addition (see inline) Philipp Rusch schrieb:
Hi Dennis, comments inline, but I'm doing this from memory, 'cause I'm not at the site(s) where my freeswan(s) are sitting ...
Dennis Leist schrieb:
Hi all,
Due to troubles with freeswan-2.04_1.4.8-12 I try to use freeswan-1.99_0.9.34-80 (www.suse.de/~garloff/linux/FreeSWAN/).
/---------------\ /---------------\ /---------------\ /---------------\ | Linux 2.4.19 | | Speed Touch | | W-Lan Router | | WINX W2k | | 62.210.20.146 |<----| 62.210.20.145 |<----| WAN-IP: |<---| W-LAN-IP: | | SuSE 9.0 | | No NAT at all | | 213.39.205.80 | | 192.168.1.99 | \---------------/ \---------------/ \---------------/ \---------------/
VPN-Server: SuSE 9.0, SpeedTouch: static IP, freeswan-1.99_0.9.34-80
<snip v/l/m> vpnserver pluto[24299]: "w2k-client"[4] 213.39.205.80 #2: cannot respond to IPsec SA request because no connection is known for 62.206.19.146[C=DE, ST=Hamburg, L=Hamburg, CN=<Admin CN>]:17/0...213.39.205.80[C=DE, ST=Koeln, CN=<User CN>]:17/1701==={192.168.1.99/32}
- SNIP - I think this is the main problem: no connection is known for the partner
<snip ipsec.conf> I assume this is conf of vpn-server, what is conf of the other side ?
-SNIP-
conn w2k-client left=62.210.20.146 leftnexthop=62.210.20.145 leftrsasigkey=%cert leftcert=gatecert.pem leftprotoport=17/0
why using this defintion ? never used / needed this one
right=%any
this is definitely wrong, as you are using fixed IPs, put here 192.168.1.99
OK, now: think of it like this: left = local and right = remote, but how can left peer find its route (=tunnel !) to 192.168.1.99, which is a private IP ? You need to define rightnexthop=213.39.205.80 to tell left=local how to reach right=remote and vice versa.
rightrsasigkey=%cert pfs=no
try pfs=yes
rightsubnet=192.168.1.99/32
this is defining a net BEHIND the gateway 192.168.1.99/32, which is nonsense for a /32 mask remove this entry completely
rightprotoport=17/1701
again: do you need this ?
keyingtries=0 disablearrivalcheck=no
try using yes
auto=add <snap : ipsec.conf>
HTH, good luck, Philipp Rusch
Again: good luck and good night, Philipp
participants (2)
-
Dennis Leist -
Philipp Rusch