Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 15265 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cannot respond to IPsec SA

rebel2k
Hello,

i'm trying to configure a Roadwarrior VPN to one Host behind the Firewall. My RW Test Clients are all behind a NAT, don't know if this could be the case. The error Message is every try the same. 

pluto[4644]: "S_test_0"[8] 217.232.175.49:64645 #8: cannot respond to IPsec SA request because no connection is known for 217.70.xxx.xxx/32===217.70.xxx.xxx:4500...217.232.175.49:64645[192.168.254.2]===192.168.130.66/32
2005:02:21-02:52:36 (none) pluto[4644]: "S_test_0"[8] 217.232.175.49:64645 #8: sending encrypted notification INVALID_ID_INFORMATION to 217.232.175.49:64645

I have tried everything bot nothing changed. Could it be the Problem that the incoming traffic to the Host "behind" the firewall is send directly to the Host and not via the Firewall? 

Hope anybody can help me

Tom


This thread was automatically locked due to age.
Parents
  • 0
    Hi Tom,

    your Subnet Definition on the ASL site is not correct. YOu have to set the internal address of your client/LAN. You defined 217.70.xxx.xxx/32 which is a oficial IP address. Post your network settings and scenario if you have further questions.
    /bagira
  • 0 in reply to bagira
    There is no NAT on the Astaro-Side. The machine which i want to connect via VPN has really this real Address. I was unclean in my describtion, sorry. I hope it is not impossible with official Adresses?

    Regards

    Tom
Reply
  • 0 in reply to bagira
    There is no NAT on the Astaro-Side. The machine which i want to connect via VPN has really this real Address. I was unclean in my describtion, sorry. I hope it is not impossible with official Adresses?

    Regards

    Tom
Children
  • 0 in reply to rebel2k
    2005:02:21-12:21:42 (none) pluto[14797]: | removing 4 bytes of padding
    2005:02:21-12:21:42 (none) pluto[14797]: | peer client is 192.168.130.66/32
    2005:02:21-12:21:42 (none) pluto[14797]: | peer client protocol/port is 0/0
    2005:02:21-12:21:42 (none) pluto[14797]: | our client is subnet 217.70.151.xxx/32
    2005:02:21-12:21:42 (none) pluto[14797]: | our client protocol/port is 0/0
    2005:02:21-12:21:42 (none) pluto[14797]: "S_test_0"[4] 217.232.175.49:64123 #2: cannot respond to IPsec SA request because no connection is known for 217.70.151.xxx/32===217.70.151.xxx:4500...217.232.175.49:64123[192.168.254.2]===192.168.130.66/32
    2005:02:21-12:21:42 (none) pluto[14797]: "S_test_0"[4] 217.232.175.49:64123 #2: sending encrypted notification INVALID_ID_INFORMATION to 217.232.175.49:64123

    Here is my configuration:

    config setup
            interfaces="ipsec0=eth1"
            klipsdebug=none
            plutodebug="emitting parsing"
            dumpdir=
            manualstart=
            fragicmp=yes
            packetdefault=drop
            hidetos=yes
            uniqueids=no
            overridemtu=1420
            nocrsend=yes
            nat_traversal=yes
            keep_alive=60
            crlcheckinterval=0
            strictcrlpolicy=no

    conn %default
            rekeymargin=9m
            rekeyfuzz=100%
            keyingtries=0

    conn S_test_0
            left="217.70.151.xxx"
            keyingtries="3"
            esp="3des-md5"
            authby="secret"
            ikelifetime="7800"
            keyexchange="ike"
            pfsgroup="modp1536"
            pfs="yes"
            leftsubnet="217.70.151.xxx/255.255.255.255"
            keylife="3600"
            rightid="0.0.0.0"
            rightupdown="/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log"
            right="0.0.0.0"
            auto="add"
            leftupdown="/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log"
            compress="no"
            ike="3des-md5-modp1536"
            type="tunnel"
  • 0 in reply to rebel2k
    Invalid ID means that the identifier is not set correctly. Do you use dynamic endpoints? If you use PSK or RSA, you have to define the same Key for every connection to get it to work.
Cookie Information Banner