Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] cannot respond to IPsec SA request because no connection is known

From: Nicole Zimmerman (colby_at_wsu.edu)
Date: Fri Apr 26 2002 - 05:40:21 CEST

Next message: viruswall_at_chrysalis-its.com: "[Users] InterScan NT Alert"
Previous message: alert_at_notification.messagelabs.com: "[Users] WARNING. You tried to send a potential virus or unauthorised code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

When I attempt to connect to my Cisco VPN Concentrator, I am getting the
error:

cannot respond to IPsec SA request because no connection is known for
207.108.60.XX/32===10.0.242.183...207.88.74.XX

I have looked around a little bit for tips on fixing this error but so far
I have not found anything. I have "fixed" a bunch of other problems with
connecting to this VPN (PSK problems, life problems, ...), but now I'm
stuck. Here's the rundown on my config.

On interface eth0, I serve NAT for my home network (192.168.100.0/24, my
IP is 192.168.100.1).

On interface eth1, I am connected to my ISP through their wireless LAN. My
LAN IP is 10.0.242.183 (network 10.0.242.0/24). My gateway IP is
10.0.242.1. ipsec0 is "bound" to interface eth1.

I appear on the internet to come from my ISP's firewall, 207.108.60.XX.

My VPN's IP is 207.88.74.XX.

So:

LAN (eth0) --> ISP LAN (eth1) --> ISP FW --> internet --> VPN
192.168.100.1 10.0.242.183 207.108.60.XX 207.88.74.XX

I tried creating a virtual interface eth1:1 with the IP address
207.108.60.XX network 255.255.255.255. If I try to bind ipsec0 to eth1:1,
it looks like it launches, but it looks like it can't really route (hangs
at initiating Main Mode), even if i use `route add 207.108.60.XX/32
eth1:1`.

My ipsec.conf:

--- 8< ---

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dns
        rightrsasigkey=%dns

conn me-to-anyone
        left=%defaultroute
        right=%opportunistic
        keylife=1h
        rekey=no
        #auto=route

conn ciscovpn
       left=10.0.242.183
       right=207.88.74.XX
       rightnexthop=207.88.74.XX
       rightsubnet=192.168.167.0/24
       auto=add
       pfs=no
       type=tunnel
       authby=secret
       auth=esp
       esp=3des-md5-96
       spibase=0x200
       lifetime=24h
       keyexchange=ike
       keylife=24h

--- >8 ---

my ipsec.secrets:

--- 8< ---

10.0.242.183 207.88.74.XX : PSK "xxxxxx"
207.108.60.XX 207.88.74.XX : PSK "xxxxxx"

--- >8 ---

Any suggestions? Is there anything I can do without the cooperation of my
ISP? I feel like I am missing something obvious but I can't figure it out.

thanks,
-nicole

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: viruswall_at_chrysalis-its.com: "[Users] InterScan NT Alert"
Previous message: alert_at_notification.messagelabs.com: "[Users] WARNING. You tried to send a potential virus or unauthorised code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:56 CEST