From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Oct 11 2002 - 22:30:18 CEST
You define in ipsec.conf
> 000 "Ihsan"[1]: 213.238.130.96/28===213.238.128.181[C=TR, ST=Istanbul,
> O=Turkmen Security Consultancy, CN=Caniko]---213.238.128.135]
but the peer wants the following IPsec SA
> Oct 7 11:06:28 Tuna pluto[32553]: "Ihsan"[1] 213.238.144.203 #1: cannot
> respond to IPsec SA request because no connection is known for
> 213.238.130.96/29===213.238.128.181[C=TR, ST=Istanbul, O=Turkmen Security
> Consultancy, CN=Caniko]...213.238.144.203[C=TR, ST=Isanbul, O=Turkmen
The network mask of the subnet differs ../28 versus ../29
Regards
Andreas
Ihsan Turkmen wrote:
> Hi
>
> 1) I have transferred (copied) the /etc/ipsec.d directory structure of a
> running FreeSWAN (Gateway A) to another fresh installed FreeSWAN (Gateway B)
> gateway.
> 2) I transferred the the ipsec.secrets file from Gateway A to Gateway B (for
> pointing the key file) as well.
> 3) Restarted the ipsec pluto, expecting the Win2k client of the previously
> running gateway (Gateway A) would connect to this new gateway (Gateway B) as
> well.
>
> When I try to connect from Win2K client,ipsec barf gives me the following
> error.
> ----------------------------------------------------------------------------
> ---------------
> Oct 7 11:06:27 Tuna pluto[32553]: "Ihsan"[1] 213.238.144.203 #1: sent MR3,
> ISAKMP SA established
> Oct 7 11:06:28 Tuna pluto[32553]: "Ihsan"[1] 213.238.144.203 #1: cannot
> respond to IPsec SA request because no connection is known for
> 213.238.130.96/29===213.238.128.181[C=TR, ST=Istanbul, O=Turkmen Security
> Consultancy, CN=Caniko]...213.238.144.203[C=TR, ST=Isanbul, O=Turkmen
> Security Consultancy, CN=Ihsan Turkmen, E=iturkmen_at_ifk.com.tr]
> Oct 7 11:06:29 Tuna pluto[32553]: "Ihsan"[1] 213.238.144.203 #1: Quick Mode
> I1 message is unacceptable because it uses a previously used Message ID
> 0xa250cf97 (perhaps this is a duplicated packet)
> ----------------------------------------------------------------------------
> --------------------
>
> This is ipsec auto --status
> ----------------------------------------------------------------------------
> --------------------
> 000 interface ipsec0/eth1 213.238.128.181
> 000
> 000 "Ihsan"[1]: 213.238.130.96/28===213.238.128.181[C=TR, ST=Istanbul,
> O=Turkmen Security Consultancy, CN=Caniko]---213.238.128.135]
> 000 "Ihsan"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "Ihsan"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
> interface: eth1; unrouted
> 000 "Ihsan"[1]: newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner:
> #0
> 000 "Ihsan": 213.238.130.96/28===213.238.128.181[C=TR, ST=Istanbul,
> O=Turkmen Security Consultancy, CN=Caniko]---213.238.128.135...]
> 000 "Ihsan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "Ihsan": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
> interface: eth1; unrouted
> 000 "Ihsan": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
> 000
> 000 #1: "Ihsan"[1] 213.238.144.203 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 1528s; newest ISAKMP
>
> What mistake may I have done?
>
> Thanks for your help..
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sat Oct 12 2002 - 05:20:25 CEST