Re: [Users] same probs like many other ..cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===212.93.30.252

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Aug 15 2002 - 19:47:02 CEST

• Next message: Ken Bantoft: "Re: [Users] FreeSwan RPM"
• Previous message: Andreas Steffen: "Re: [Users] Rekeying defaults for new ipsec.conf"
• In reply to: Thomas_Heidkamp_at_hks-net.de: "[Users] same probs like many other ..cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===212.93.30.252"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The solution is simple! You define in ipsec.conf:

> rightsubnet=192.168.1.0/24

whereas your peer wants

rightsubnet=192.168.1.2/32

Regards

Andreas

Thomas_Heidkamp_at_hks-net.de wrote:
> Hello,
>
> I have the same probs like many others but I always read the mailing list,
> so I tried the folowing :
>
> My ipsec.conf
>
> # basic configuration
> config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> uniqueids=yes
>
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> authby=rsasig
> right=%any
> rightrsasigkey=%cert
> left=212.93.30.252
> leftnexthop=212.93.30.249
> leftcert=freeswan_cert.pem
> auto=add
>
> conn tommi_zuhause
> type=tunnel
> leftsubnet=0.0.0.0/0
> rightsubnet=192.168.1.0/24
>
> I use the entry leftsubnet with 0.0.0.0/0 or 0/0.
> Always the same !!
>
> I think, I realy need help !!
>
> So, plz sent me some hints.
>
> I always get the following :
>
> Aug 13 21:22:13 firewall ipsec_setup: ...FreeS/WAN IPsec stopped
> Aug 13 21:22:18 firewall ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
> Aug 13 21:22:18 firewall ipsec_setup: KLIPS debug `none'
> Aug 13 21:22:18 firewall ipsec_setup: KLIPS ipsec0 on eth0
> 212.93.30.252/255.255.255.248 broadcast 212.93.30.255
> Aug 13 21:22:18 firewall ipsec__plutorun: Starting Pluto subsystem...
> Aug 13 21:22:18 firewall pluto[17182]: Starting Pluto (FreeS/WAN Version
> 1.98b)
> Aug 13 21:22:18 firewall ipsec_setup: ...FreeS/WAN IPsec started
> Aug 13 21:22:18 firewall pluto[17182]: including X.509 patch (Version
> 0.9.14)
> Aug 13 21:22:18 firewall pluto[17182]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Aug 13 21:22:18 firewall pluto[17182]: loaded cacert file 'cacert.pem'
> (1245 bytes)
> Aug 13 21:22:18 firewall pluto[17182]: Changing to directory
> '/etc/ipsec.d/crls'
> Aug 13 21:22:18 firewall pluto[17182]: Warning: empty directory
> Aug 13 21:22:18 firewall pluto[17182]: loaded my default X.509 cert file
> '/etc/x509cert.der' (938 bytes)
> Aug 13 21:22:18 firewall pluto[17182]: loaded host cert file
> '/etc/ipsec.d/freeswan_cert.pem' (3619 bytes)
> Aug 13 21:22:18 firewall pluto[17182]: added connection description
> "tommi_zuhause"
> Aug 13 21:22:18 firewall pluto[17182]: listening for IKE messages
> Aug 13 21:22:18 firewall pluto[17182]: adding interface ipsec0/eth0
> 212.93.30.252
> Aug 13 21:22:18 firewall pluto[17182]: loading secrets from
> "/etc/ipsec.secrets"
> Aug 13 21:22:26 firewall pluto[17182]: packet from 212.62.83.199:500:
> ignoring Vendor ID payload
> Aug 13 21:22:26 firewall pluto[17182]: "tommi_zuhause"[1] 212.62.83.199 #1:
> responding to Main Mode from unknown peer 212.62.83.199
> Aug 13 21:22:28 firewall pluto[17182]: "tommi_zuhause"[1] 212.62.83.199 #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Aug 13 21:22:28 firewall pluto[17182]: "tommi_zuhause"[1] 212.62.83.199 #1:
> Peer ID is ID_DER_ASN1_DN: 'CN=thomas_heidkamp_at_hks-net.de'
> Aug 13 21:22:28 firewall pluto[17182]: "tommi_zuhause"[1] 212.62.83.199 #1:
> Issuer CRL not found
> Aug 13 21:22:28 firewall pluto[17182]: "tommi_zuhause"[1] 212.62.83.199 #1:
> Issuer CRL not found
> Aug 13 21:22:28 firewall pluto[17182]: "tommi_zuhause"[2] 212.62.83.199 #1:
> deleting connection "tommi_zuhause" instance with peer 212.62.83.199
> Aug 13 21:22:28 firewall pluto[17182]: "tommi_zuhause"[2] 212.62.83.199 #1:
> sent MR3, ISAKMP SA established
> Aug 13 21:22:29 firewall pluto[17182]: "tommi_zuhause"[2] 212.62.83.199 #1:
> retransmitting in response to duplicate packet; already STATE_MAIN_R3
> Aug 13 21:22:30 firewall pluto[17182]: "tommi_zuhause"[2] 212.62.83.199 #1:
> cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===212.93.30.252[C=de, ST=nrw, L=paderborn, O=hks, OU=hks,
> CN=firewall.hks-net.de,
> E=thomas_heidkamp_at_hks-net.de]...212.62.83.199[CN=thomas_heidkamp_at_hks-net.de]
>
> ==192.168.1.2/32
> Aug 13 21:22:32 firewall pluto[17182]: "tommi_zuhause"[2] 212.62.83.199 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xfbd904c1 (perhaps this is a duplicated packet)

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] FreeSwan RPM"
• Previous message: Andreas Steffen: "Re: [Users] Rekeying defaults for new ipsec.conf"
• In reply to: Thomas_Heidkamp_at_hks-net.de: "[Users] same probs like many other ..cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===212.93.30.252"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Aug 16 2002 - 00:19:44 CEST