[strongSwan] cannot respond to IPsec SA request because no connection is known

Sat, 09 Jul 2011 22:45:43 -0700 

Hi,

For some reason that i do not understand, I'm getting: 

Jul  9 22:37:41 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: 
cannot respond to IPsec SA request because no connection is known for 
198.252.153.38:4500[198.252.153.38]:17/1701...208.54.45.249:58920[26.164.21.104]:17/%any==={26.164.21.104/32}

My configuration is below, along with a log and the results from 'ipsec
statusall' - I would very much appreciate any pointers to what I am
missing!

thanks,
micah


config setup
  nat_traversal=yes
  charonstart=no 
  plutostart=yes
  plutodebug=control
  left=198.252.153.38

conn l2tp-psk
  authby=secret
  pfs=no
  compress=no
  rekey=no
  keyexchange=ikev1
  keyingtries=3
  type=transport
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  auto=add

Jul  9 22:37:28 kestrel pluto[3901]: Starting IKEv1 pluto daemon (strongSwan 
4.5.0) THREADS SMARTCARD VENDORID
Jul  9 22:37:28 kestrel pluto[3901]: listening on interfaces:
Jul  9 22:37:28 kestrel pluto[3901]:   eth0
Jul  9 22:37:28 kestrel pluto[3901]:     198.252.153.38
Jul  9 22:37:28 kestrel pluto[3901]:     fe80::216:3eff:fe9f:e58b
Jul  9 22:37:28 kestrel pluto[3901]:   eth1
Jul  9 22:37:28 kestrel pluto[3901]:     10.0.1.81
Jul  9 22:37:28 kestrel pluto[3901]:     fe80::216:3eff:fe8a:458d
Jul  9 22:37:28 kestrel pluto[3901]:   tun0
Jul  9 22:37:28 kestrel pluto[3901]:     172.27.0.1
Jul  9 22:37:28 kestrel pluto[3901]:   tun1
Jul  9 22:37:28 kestrel pluto[3901]:     172.27.100.1
Jul  9 22:37:28 kestrel pluto[3901]: loaded plugins: test-vectors curl ldap aes 
des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr 
kernel-netlink resolve
Jul  9 22:37:28 kestrel pluto[3901]: | inserting event EVENT_REINIT_SECRET, 
timeout in 3600 seconds
Jul  9 22:37:28 kestrel pluto[3901]:   including NAT-Traversal patch (Version 
0.6c)
Jul  9 22:37:28 kestrel pluto[3901]: | pkcs11 module 
'/usr/lib/opensc-pkcs11.so' loading...
Jul  9 22:37:28 kestrel pluto[3901]: failed to load pkcs11 module 
'/usr/lib/opensc-pkcs11.so'
Jul  9 22:37:28 kestrel ipsec_starter[3900]: pluto (3901) started after 20 ms
Jul  9 22:37:28 kestrel pluto[3901]: loading ca certificates from 
'/etc/ipsec.d/cacerts'
Jul  9 22:37:28 kestrel pluto[3901]: loading aa certificates from 
'/etc/ipsec.d/aacerts'
Jul  9 22:37:28 kestrel pluto[3901]: loading ocsp certificates from 
'/etc/ipsec.d/ocspcerts'
Jul  9 22:37:28 kestrel pluto[3901]: Changing to directory '/etc/ipsec.d/crls'
Jul  9 22:37:28 kestrel pluto[3901]: loading attribute certificates from 
'/etc/ipsec.d/acerts'
Jul  9 22:37:28 kestrel pluto[3901]: spawning 4 worker threads
Jul  9 22:37:28 kestrel pluto[3901]: | inserting event EVENT_LOG_DAILY, timeout 
in 4952 seconds
Jul  9 22:37:28 kestrel pluto[3901]: | next event EVENT_REINIT_SECRET in 3600 
seconds
Jul  9 22:37:28 kestrel pluto[3901]: |
Jul  9 22:37:28 kestrel pluto[3901]: | *received whack message
Jul  9 22:37:28 kestrel pluto[3901]: listening for IKE messages
Jul  9 22:37:28 kestrel pluto[3901]: | found lo with address 127.0.0.1
Jul  9 22:37:28 kestrel pluto[3901]: | found eth0 with address 198.252.153.38
Jul  9 22:37:28 kestrel pluto[3901]: | found eth1 with address 10.0.1.81
Jul  9 22:37:28 kestrel pluto[3901]: | found tun0 with address 172.27.0.1
Jul  9 22:37:28 kestrel pluto[3901]: | found tun1 with address 172.27.100.1
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun1/tun1 172.27.100.1:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun1/tun1 
172.27.100.1:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun0/tun0 172.27.0.1:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface tun0/tun0 172.27.0.1:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth1/eth1 10.0.1.81:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth1/eth1 10.0.1.81:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth0/eth0 
198.252.153.38:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface eth0/eth0 
198.252.153.38:4500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface lo/lo 127.0.0.1:500
Jul  9 22:37:28 kestrel pluto[3901]: adding interface lo/lo 127.0.0.1:4500
Jul  9 22:37:28 kestrel pluto[3901]: | found lo with address 
0000:0000:0000:0000:0000:0000:0000:0001
Jul  9 22:37:28 kestrel pluto[3901]: adding interface lo/lo ::1:500
Jul  9 22:37:28 kestrel pluto[3901]: loading secrets from "/etc/ipsec.secrets"
Jul  9 22:37:28 kestrel pluto[3901]:   loaded PSK secret for %any %any
Jul  9 22:37:28 kestrel pluto[3901]:   loaded PSK secret for 198.252.153.38 %any
Jul  9 22:37:28 kestrel pluto[3901]: | next event EVENT_REINIT_SECRET in 3600 
seconds
Jul  9 22:37:28 kestrel pluto[3901]: |
Jul  9 22:37:28 kestrel pluto[3901]: | *received whack message
Jul  9 22:37:28 kestrel pluto[3901]: | from whack: got 
--esp=aes128-sha1,3des-sha1
Jul  9 22:37:28 kestrel pluto[3901]: | esp proposal: AES_CBC_128/HMAC_SHA1, 
3DES_CBC/HMAC_SHA1,
Jul  9 22:37:28 kestrel pluto[3901]: | from whack: got 
--ike=aes128-sha1-modp2048,3des-sha1-modp1536
Jul  9 22:37:28 kestrel pluto[3901]: | ike proposal: 
AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
Jul  9 22:37:28 kestrel pluto[3901]: added connection description "l2tp-psk"
Jul  9 22:37:28 kestrel pluto[3901]: | 
{0.0.0.0/0}===198.252.153.38[198.252.153.38]:17/1701...%any[%any]:17/%any==={0.0.0.0/0}
Jul  9 22:37:28 kestrel pluto[3901]: | ike_life: 10800s; ipsec_life: 3600s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy: 
PSK+ENCRYPT+DONTREKEY
Jul  9 22:37:28 kestrel pluto[3901]: | next event EVENT_REINIT_SECRET in 3600 
seconds
Jul  9 22:37:39 kestrel pluto[3901]: |
Jul  9 22:37:39 kestrel pluto[3901]: | *received 352 bytes from 
208.54.45.249:50460 on eth0
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: received 
Vendor ID payload [RFC 3947]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul  9 22:37:39 kestrel pluto[3901]: packet from 208.54.45.249:50460: ignoring 
Vendor ID payload [FRAGMENTATION 80000000]
Jul  9 22:37:39 kestrel pluto[3901]: | preparse_isakmp_policy: peer requests 
PSK authentication
Jul  9 22:37:39 kestrel pluto[3901]: | instantiated "l2tp-psk" for 208.54.45.249
Jul  9 22:37:39 kestrel pluto[3901]: | creating state object #1 at 0xb94cefd0
Jul  9 22:37:39 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:39 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:39 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:39 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:39 kestrel pluto[3901]: | inserting event EVENT_SO_DISCARD, 
timeout in 0 seconds for #1
Jul  9 22:37:39 kestrel pluto[3901]: "l2tp-psk"[1] 208.54.45.249:50460 #1: 
responding to Main Mode from unknown peer 208.54.45.249:50460
Jul  9 22:37:39 kestrel pluto[3901]: | inserting event EVENT_RETRANSMIT, 
timeout in 10 seconds for #1
Jul  9 22:37:39 kestrel pluto[3901]: | next event EVENT_RETRANSMIT in 10 
seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: |
Jul  9 22:37:40 kestrel pluto[3901]: | *received 228 bytes from 
208.54.45.249:50460 on eth0
Jul  9 22:37:40 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:40 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:40 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:40 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:40 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R1
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[1] 208.54.45.249:50460 #1: 
NAT-Traversal: Result using RFC 3947: peer is NATed
Jul  9 22:37:40 kestrel pluto[3901]: | inserting event EVENT_NAT_T_KEEPALIVE, 
timeout in 20 seconds
Jul  9 22:37:40 kestrel pluto[3901]: | inserting event EVENT_RETRANSMIT, 
timeout in 10 seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: | next event EVENT_RETRANSMIT in 10 
seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: |
Jul  9 22:37:40 kestrel pluto[3901]: | *received 76 bytes from 
208.54.45.249:58920 on eth0
Jul  9 22:37:40 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:40 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:40 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:40 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:40 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R2
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[1] 208.54.45.249:50460 #1: Peer 
ID is ID_IPV4_ADDR: '26.164.21.104'
Jul  9 22:37:40 kestrel pluto[3901]: | peer CA:      %none
Jul  9 22:37:40 kestrel pluto[3901]: | offered CA:   %none
Jul  9 22:37:40 kestrel pluto[3901]: | switched from "l2tp-psk" to "l2tp-psk"
Jul  9 22:37:40 kestrel pluto[3901]: | instantiated "l2tp-psk" for 208.54.45.249
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:50460 #1: 
deleting connection "l2tp-psk" instance with peer 208.54.45.249 
{isakmp=#0/ipsec=#0}
Jul  9 22:37:40 kestrel pluto[3901]: | NAT-T: new mapping 
208.54.45.249:50460/58920)
Jul  9 22:37:40 kestrel pluto[3901]: | inserting event EVENT_SA_EXPIRE, timeout 
in 28800 seconds for #1
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: sent 
MR3, ISAKMP SA established
Jul  9 22:37:40 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 20 
seconds
Jul  9 22:37:40 kestrel pluto[3901]: |
Jul  9 22:37:40 kestrel pluto[3901]: | *received 92 bytes from 
208.54.45.249:58920 on eth0
Jul  9 22:37:40 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:40 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:40 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:40 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:40 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R3
Jul  9 22:37:40 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: 
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jul  9 22:37:40 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 20 
seconds
Jul  9 22:37:41 kestrel pluto[3901]: |
Jul  9 22:37:41 kestrel pluto[3901]: | *received 284 bytes from 
208.54.45.249:58920 on eth0
Jul  9 22:37:41 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:41 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:41 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:41 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:41 kestrel pluto[3901]: | state object not found
Jul  9 22:37:41 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:41 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:41 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:41 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:41 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R3
Jul  9 22:37:41 kestrel pluto[3901]: | peer client is 26.164.21.104
Jul  9 22:37:41 kestrel pluto[3901]: | peer client protocol/port is 17/0
Jul  9 22:37:41 kestrel pluto[3901]: | our client is 198.252.153.38
Jul  9 22:37:41 kestrel pluto[3901]: | our client protocol/port is 17/1701
Jul  9 22:37:41 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: 
cannot respond to IPsec SA request because no connection is known for 
198.252.153.38:4500[198.252.153.38]:17/1701...208.54.45.249:58920[26.164.21.104]:17/%any==={26.164.21.104/32}
Jul  9 22:37:41 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: 
sending encrypted notification INVALID_ID_INFORMATION to 208.54.45.249:58920
Jul  9 22:37:41 kestrel pluto[3901]: | state transition function for 
STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
Jul  9 22:37:41 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 19 
seconds
Jul  9 22:37:51 kestrel pluto[3901]: |
Jul  9 22:37:51 kestrel pluto[3901]: | *received 284 bytes from 
208.54.45.249:58920 on eth0
Jul  9 22:37:51 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:51 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:51 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:51 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:51 kestrel pluto[3901]: | state object not found
Jul  9 22:37:51 kestrel pluto[3901]: | ICOOKIE:  6b b1 cb 6e  7c fd 4e f2
Jul  9 22:37:51 kestrel pluto[3901]: | RCOOKIE:  1b d3 e9 ae  b0 9f e3 5b
Jul  9 22:37:51 kestrel pluto[3901]: | peer:  d0 36 2d f9
Jul  9 22:37:51 kestrel pluto[3901]: | state hash entry 10
Jul  9 22:37:51 kestrel pluto[3901]: | state object #1 found, in STATE_MAIN_R3
Jul  9 22:37:51 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: 
Quick Mode I1 message is unacceptable because it uses a previously used Message 
ID 0x49f91a9d (perhaps this is a duplicated packet)
Jul  9 22:37:51 kestrel pluto[3901]: "l2tp-psk"[2] 208.54.45.249:58920 #1: 
sending encrypted notification INVALID_MESSAGE_ID to 208.54.45.249:58920
Jul  9 22:37:51 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 9 
seconds

root@kestrel:/var/log# ipsec statusall
Jul  9 22:37:57 kestrel pluto[3901]: |
Jul  9 22:37:57 kestrel pluto[3901]: | *received whack message
Jul  9 22:37:57 kestrel pluto[3901]: | next event EVENT_NAT_T_KEEPALIVE in 3 
seconds
000 Status of IKEv1 pluto daemon (strongSwan 4.5.0):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 198.252.153.38:4500
000 interface eth0/eth0 198.252.153.38:500
000 interface eth1/eth1 10.0.1.81:4500
000 interface eth1/eth1 10.0.1.81:500
000 interface tun0/tun0 172.27.0.1:4500
000 interface tun0/tun0 172.27.0.1:500
000 interface tun1/tun1 172.27.100.1:4500
000 interface tun1/tun1 172.27.100.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 
pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: control
000
000 "l2tp-psk": 
{0.0.0.0/0}===198.252.153.38[198.252.153.38]:17/1701...%any[%any]:17/%any==={0.0.0.0/0};
 unrouted; eroute owner: #0
000 "l2tp-psk":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "l2tp-psk":   policy: PSK+ENCRYPT+DONTREKEY; prio: 0,0; interface: eth0;
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk"[2]: 
{0.0.0.0/0}===198.252.153.38:4500[198.252.153.38]:17/1701...208.54.45.249:58920[26.164.21.104]:17/%any==={0.0.0.0/0};
 unrouted; eroute owner: #0
000 "l2tp-psk"[2]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "l2tp-psk"[2]:   policy: PSK+ENCRYPT+DONTREKEY; prio: 0,0; interface: eth0;
000 "l2tp-psk"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "l2tp-psk"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000
000 #1: "l2tp-psk"[2] 208.54.45.249:58920 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_EXPIRE in 28783s; newest ISAKMP
000

--

Attachment: pgpK1XLHc3lNr.pgp
Description: PGP signature

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to