[vpn-help] HELP: "cannot respond to IPsec SA request because no connection is known for..."

Matthew Grooms mgrooms at shrew.net
Tue Apr 20 00:26:49 CDT 2010


On 4/6/2010 8:31 PM, Murat Sezgin wrote:
> Hi,
>
> I am using your shrewsoft VPN client 2.15 version on my windows (vista /
> 7) machines to connect to a VPN router which is running
> openswan.2.6.24.rc4. The first phase ISAKMP is established successfully.
> After this phase on the shrewsoft client it shows that connection is
> established. But on the openswan side, it is waiting for the pahse 2
> (IPSec SA). And I see the below error repeatedly. Shrewsoft is behind a
> NAT router and the subnet is 192.168.3.0/24 <http://192.168.3.0/24>. The
> VPN router's local net is 192.168.0.0/24 <http://192.168.0.0/24> and WAN
> IP is 192.168.5.112. The NAT router's WAN IP is 192.168.5.114 and
> connected to the VPN router's WAN port.
>
> I am not using the certification authentication, I am using PSK. What
> can cause this error? I searched on your support site and the openswan
> mailing list archives, but I couldn't find any solution. The same
> configuration of VPN router is working fine with the Greenbow VPN client
> and Openswan Linux client, but it is failing with shrewsoft with the
> below error.
>

Hi Murat,

It looks like you didn't specify an include network in the policy tab. 
This causes the client to negotiate a single IPsec SA to tunnel all 
traffic through. Try adding the 192.168.0.0/24 network as an include 
network in the policy tab of the client site configuration.

Hope this helps,

-Matthew



More information about the vpn-help mailing list