From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Thu Oct 03 2002 - 22:01:10 CEST
The error message is
> "to-me"[1] 63.77.172.62 #7: cannot respond to IPsec SA request
> because no connection is known for 192.168.1.0/24===63.77.172.2[C=US,
> ST=California, L=Los Altos, O=BizSystems, OU=Office,
> CN=ns2.bizsystems.net, E=sysadm_at_bizsystems.com].
> ..63.77.172.62[CN=maus_at_grtimp.com]===192.168.1.111/32
If you give a fixed Virtual IP address 192.168.1.111
to your SSH Sentinel client then you must define it in
ipsec.conf using
rightsubnet=192.168.1.11/32
If you have several Sentinel road warriors with different
Virtual IPs then you can use the wildcard
rightsubnetwithin=192.168.1.0/24
Regards
Andreas
Michael wrote:
> I'm having a bit of a problem with sshsentinal
>
> Following the guide in the SSHSentinal pdf and Nadeem Hasan's docs,
> I've created the signed cert's for Sentinal. After importing and
> running diagnostics (with no ip-address assigned), the connection is
> established just fine.
>
> Here's the problem. The freeswan gateway has no automatic IP
> assignment daemon, IP space must be manually assigned. When I change
> the VPN IP assignment to manual, I can no longer make the connection
> because the peer ID changes. How do I set the configuration so that I
> can pre-assign the peer ID and still connect??
>
> ipsec.config
> <snip>
> conn to-net
> leftsubnet=192.168.1.0/24
> also=to-me
>
> conn to-me
> keyingtries=2
> right=%any
> auto=add
>
> Below are the logs from both cases.
>
> ######## no ip in vpn -- SUCCESS, no IP address
> "to-me"[1] 63.77.172.62 #8: responding to Main Mode from unknown peer
> 63.77.172.62
> "to-me"[1] 63.77.172.62 #8: ignoring informational payload, type
> IPSEC_INITIAL_CONTACT
> "to-me"[1] 63.77.172.62 #8: Peer ID is ID_DER_ASN1_DN:
> 'CN=maus_at_grtimp.com'
> "to-me"[1] 63.77.172.62 #8: sent MR3, ISAKMP SA established
> "to-me"[1] 63.77.172.62 #8: retransmitting in response to duplicate
> packet; already STATE_MAIN_R3
> "to-net"[2] 63.77.172.62 #9: responding to Quick Mode
> "to-net"[2] 63.77.172.62 #9: IPsec SA established
> "to-me"[1] 63.77.172.62 #8: ignoring Delete SA payload
> "to-me"[1] 63.77.172.62 #8: received and ignored informational
> message
> "to-me"[1] 63.77.172.62 #8: ignoring Delete SA payload?
> "to-me"[1] 63.77.172.62 #8: received and ignored informational
> message
>
> ############ with ip address 192.168.1.111 -- FAILS
>
> "to-net"[1] 63.77.172.62 #7: responding to Main Mode from unknown peer
> 63.77.172.62
> "to-net"[1] 63.77.172.62 #7: ignoring informational payload, type
> IPSEC_INITIAL_CONTACT
> "to-net"[1] 63.77.172.62 #7: Peer ID is ID_DER_ASN1_DN:
> 'CN=maus_at_grtimp.com'
> "to-me"[1] 63.77.172.62 #7: deleting connection
> "to-net" instance with peer 63.77.172.62
> "to-me"[1] 63.77.172.62 #7: sent MR3, ISAKMP SA established
> "to-me"[1] 63.77.172.62 #7: retransmitting in response to duplicate
> packet; already STATE_MAIN_R3
> "to-me"[1] 63.77.172.62 #7: cannot respond to IPsec SA request
> because no connection is known for 192.168.1.0/24===63.77.172.2[C=US,
> ST=California, L=Los Altos, O=BizSystems, OU=Office,
> CN=ns2.bizsystems.net, E=sysadm_at_bizsystems.com].
> ..63.77.172.62[CN=maus_at_grtimp.com]===192.168.1.111/32
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Oct 04 2002 - 05:20:19 CEST