[vpn-help] HELP: "cannot respond to IPsec SA request because no connection is known for..."

Murat Sezgin sezginmurat at gmail.com
Tue Apr 6 20:31:48 CDT 2010 

Hi,

I am using your shrewsoft VPN client 2.15 version on my windows (vista / 7)
machines to connect to a VPN router which is running openswan.2.6.24.rc4.
The first phase ISAKMP is established successfully. After this phase on the
shrewsoft client it shows that connection is established. But on the
openswan side, it is waiting for the pahse 2 (IPSec SA). And I see the below
error repeatedly. Shrewsoft is behind a NAT router and the subnet is
192.168.3.0/24. The VPN router's local net is 192.168.0.0/24 and WAN IP is
192.168.5.112. The NAT router's WAN IP is 192.168.5.114 and connected to the
VPN router's WAN port.

I am not using the certification authentication, I am using PSK. What can
cause this error? I searched on your support site and the openswan mailing
list archives, but I couldn't find any solution. The same configuration of
VPN router is working fine with the Greenbow VPN client and Openswan Linux
client, but it is failing with shrewsoft with the below error.

Regards,
Murat Sezgin


remote-user-psk"[2] 192.168.5.114 #1: the peer proposed: 0.0.0.0/0:0/0 ->
192.168.3.100/32:0/0
| find_client_connection starting with remote-user-psk
|   looking for 0.0.0.0/0:0/0 -> 192.168.3.100/32:0/0
|   concrete checking against sr#0 192.168.0.0/24 -> 192.168.3.100/32
|    match_id a=192.168.3.100
|             b=192.168.3.100
|    results  matched
|   trusted_ca called with a=(empty) b=(empty)
|   fc_try trying remote-user-psk:0.0.0.0/0:0/0 -> 192.168.3.100/32:0/0 vs
remote-user-psk:192.168.0.0/24:0/0 -> 192.168.3.100/32:0/0
|    our client(192.168.0.0/24) not in our_net (0.0.0.0/0)
|   fc_try concluding with none [0]
|   fc_try remote-user-psk gives none
| find_host_pair: comparing to 192.168.5.112:500 0.0.0.0:500
|   checking hostpair 192.168.0.0/24 -> 192.168.3.100/32 is found
|    match_id a=192.168.3.100
|             b=(none)
|    results  matched
|   trusted_ca called with a=(empty) b=(empty)
|   fc_try trying remote-user-psk:0.0.0.0/0:0/0 -> 192.168.3.100/32:0/0 vs
remote-user-psk:192.168.0.0/24:0/0 -> 192.168.3.100/32:0/0
|    our client(192.168.0.0/24) not in our_net (0.0.0.0/0)
|   fc_try concluding with none [0]
|   concluding with d = none
"remote-user-psk"[2] 192.168.5.114 #1: cannot respond to IPsec SA request
because no connection is known for
0.0.0.0/0===192.168.5.112...192.168.5.114[192.168.3.100]===192.168.3.100/32
| complete state transition with (null)
"remote-user-psk"[2] 192.168.5.114 #1: sending encrypted notification
INVALID_ID_INFORMATION to 192.168.5.114:55034
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100406/7ad6f2ff/attachment-0001.html>

More information about the vpn-help mailing list