<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div> add leftprotoport=17/0 and rightprotoport=17/0 to your connection.</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Note that means the other end wants to do L2TP/IPsec so you would also need xl2tpd for that. Unless the other end is misconfigured. Without you telling what the goal is, I cannot say whi<span style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0);">ch endpoint is wrong.</span></div><div id="AppleMailSignature"><br>Sent from my iPhone</div><div><br>On Nov 2, 2015, at 08:02, ChenHao <<a href="mailto:earthlovepython@outlook.com">earthlovepython@outlook.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:????
}
--></style>
<div dir="ltr"><div>Hi Paul:</div><div><br></div><div>From /var/log/pluto.log, phase 1 is done. Phase 2 is failed due to "<span style="font-size: 12pt;">cannot respond to IPsec SA request because no connection</span><span style="font-size: 12pt;">". I analyzed log file, I think it is caused by "</span><span style="font-size: 12pt; background-color: rgb(255, 0, 255);">0/0</span><span style="font-size: 12pt;">" != "</span><span style="font-size: 12pt; background-color: rgb(0, 255, 255);">17/0</span><span style="font-size: 12pt;">" (see belowing highlighted log file). Can you please confirm ?</span></div><div><span style="font-size: 12pt;"><br></span></div><div>Thanks and regards</div><div><br></div><div>Hao Chen</div><div><br></div><div>"ip6.tun0" #113: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=md5 group=MODP1024}</div><div>| modecfg pull: noquirk policy:push not-client</div><div>| phase 1 is done, looking for phase 2 to unpend</div><div>| unpending state #113</div><div>| * processed 1 messages from cryptographic helpers</div><div>| next event EVENT_v1_RETRANSMIT in 4 seconds for #112</div><div>| next event EVENT_v1_RETRANSMIT in 4 seconds for #112</div><div>| *received 172 bytes from 2607:f160:10:509:ce:ff2:0:3:500 on bond.2250 (port=500)</div><div>.......</div><div>.......</div><div>.......</div><div>| decrypting 144 bytes using algorithm OAKLEY_3DES_CBC</div><div>| NSS: do_3des init start</div><div>| NSS: do_3des init end</div><div>| decrypted:</div><div>| 01 00 00 14 32 ae 3b 2b e2 cf 9c e2 e6 38 0a d2</div><div>| a3 4a 17 b3 0a 00 00 30 00 00 00 01 00 00 00 01</div><div>| 00 00 00 24 01 03 04 01 40 06 7b 9f 00 00 00 18</div><div>| 01 03 00 00 80 01 00 01 80 02 12 c0 80 04 00 01</div><div>| 80 05 00 01 05 00 00 18 22 8e 22 71 85 11 14 ef</div><div>| ee 5e cf 52 1f d0 e5 cb 99 0f 47 cb 05 00 00 18</div><div>| 05 11 00 00 fd 6f 0d 30 1b b6 b4 19 00 00 00 00</div><div>| 00 00 00 01 00 00 00 18 05 11 00 00 fd 1d 0d 30</div><div>| 1b b6 b4 19 00 00 00 00 00 00 00 01 95 53 39 45</div><div>| next IV: db 32 cd 21 90 84 1c 67</div><div>| got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502opt: 0x200030</div><div>| ***parse ISAKMP Hash Payload:</div><div>| next payload type: ISAKMP_NEXT_SA</div><div>| length: 20</div><div>| got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402opt: 0x200030</div><div>| ***parse ISAKMP Security Association Payload:</div><div>| next payload type: ISAKMP_NEXT_NONCE</div><div>| length: 48</div><div>| DOI: ISAKMP_DOI_IPSEC</div><div>| got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400opt: 0x200030</div><div>| ***parse ISAKMP Nonce Payload:</div><div>| next payload type: ISAKMP_NEXT_ID</div><div>| length: 24</div><div>| got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0opt: 0x200030</div><div>| ***parse ISAKMP Identification Payload (IPsec DOI):</div><div>| next payload type: ISAKMP_NEXT_ID</div><div>| length: 24</div><div>| ID type: ID_IPV6_ADDR</div><div>| Protocol ID: 17</div><div>| port: 0</div><div>| obj: fd 6f 0d 30 1b b6 b4 19 00 00 00 00 00 00 00 01</div><div>| got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0opt: 0x200030</div><div>| ***parse ISAKMP Identification Payload (IPsec DOI):</div><div>| next payload type: ISAKMP_NEXT_NONE</div><div>| length: 24</div><div>| ID type: ID_IPV6_ADDR</div><div>| Protocol ID: 17</div><div>| port: 0</div><div>| obj: fd 1d 0d 30 1b b6 b4 19 00 00 00 00 00 00 00 01</div><div>| removing 4 bytes of padding</div><div>.......</div><div>.......</div><div>.......</div><div>| peer client is fd6f:d30:1bb6:b419::1</div><div>| peer client protocol/port is 17/0</div><div>| our client is fd1d:d30:1bb6:b419::1</div><div>| our client protocol/port is 17/0</div><div>"ip6.tun0" #113: the peer proposed: fd1d:d30:1bb6:b419::1/128:<span style="background-color: rgb(255, 0, 255);">0/0</span> -> fd6f:d30:1bb6:b419::1/128:<span style="background-color: rgb(255, 0, 255);">0/0</span></div><div>| find_client_connection starting with ip6.tun0</div><div>| looking for fd1d:d30:1bb6:b419::1/128:<span style="background-color: rgb(0, 255, 255);">17/0 </span>-> fd6f:d30:1bb6:b419::1/128:<span style="background-color: rgb(0, 255, 255);">17/0</span></div><div>| concrete checking against sr#0 fd1d:d30:1bb6:b419::1/128 -> fd6f:d30:1bb6:b419::1/128</div><div>| match_id a=2607:f160:10:509:ce:ff2:0:3</div><div>| b=2607:f160:10:509:ce:ff2:0:3</div><div>| results matched</div><div>| trusted_ca called with a=(empty) b=(empty)</div><div>| fc_try concluding with none [0]</div><div>| fc_try ip6.tun0 gives none</div><div>| find_host_pair: comparing to 2607:f160:10:3e1:ce:10e:0:7:500 2607:f160:10:509:ce:ff2:0:3:500</div><div>| find_host_pair: comparing to ::1:500 :::500</div><div>| find_host_pair: comparing to 172.16.162.40:500 198.226.45.30:500</div><div>| find_host_pair: comparing to 172.16.162.40:500 198.226.45.29:500</div><div>| find_host_pair: comparing to 172.16.162.40:500 172.24.252.40:500</div><div>| find_host_pair: comparing to 172.16.162.40:500 172.31.155.34:500</div><div>| find_host_pair: comparing to 2607:f160:10:3e1:ce:10e:0:7:500 2607:f160:0:2003::9:500</div><div>| find_host_pair: comparing to 2607:f160:10:3e1:ce:10e:0:7:500 2607:f160:0:2003::c:500</div><div>| checking hostpair fd1d:d30:1bb6:b419::1/128 -> fd6f:d30:1bb6:b419::1/128 is not found</div><div>| concluding with d = none</div><div>"ip6.tun0" #113: cannot respond to IPsec SA request because no connection is known for fd1d:d30:1bb6:b419::1/128===2607:f160:10:3e1:ce:10e:0:7<2607:f160:10:3e1:ce:10e:0:7>:17/0...2607:f160:10:509:ce:ff2:0:3<2607:f160:10:509:ce:ff2:0:3>:17/0===fd6f:d30:1bb6:b419::1/128</div><div>| complete v1 state transition with INVALID_ID_INFORMATION</div><div>"ip6.tun0" #113: sending encrypted notification INVALID_ID_INFORMATION to 2607:f160:10:509:ce:ff2:0:3:500</div><div>| **emit ISAKMP Message:</div><div>| initiator cookie:</div><div>| 15 f1 9c 33 3b a1 81 d0</div><div>| responder cookie:</div><div>| d4 2f 9c 02 27 c4 e2 38</div><div>| next payload type: ISAKMP_NEXT_HASH</div><div>| ISAKMP version: ISAKMP Version 1.0 (rfc2407)</div><div>| exchange type: ISAKMP_XCHG_INFO</div><div>| flags: ISAKMP_FLAG_v1_ENCRYPTION</div><div>| message ID: d1 31 bd 17</div><div>| ***emit ISAKMP Hash Payload:</div><div>| next payload type: ISAKMP_NEXT_N</div><div>| emitting 16 zero bytes of HASH(1) into ISAKMP Hash Payload</div><div>| emitting length of ISAKMP Hash Payload: 20</div><div>| ***emit ISAKMP Notification Payload:</div><div>| next payload type: ISAKMP_NEXT_NONE</div><div>| DOI: ISAKMP_DOI_IPSEC</div><div>| protocol ID: 1</div><div>| SPI size: 0</div><div>| Notify Message Type: INVALID_ID_INFORMATION</div><div><br></div><div><br></div><div><br></div><div><br></div><br><div><hr id="stopSpelling">Subject: Re: [Swan] How to let "PLUTO_PEER_PROTOCOL" and "PLUTO_MY_PROTOCOL" to be 17 (UDP) ?<br>From: <a href="mailto:paul@nohats.ca">paul@nohats.ca</a><br>Date: Mon, 2 Nov 2015 06:39:41 +0900<br>To: <a href="mailto:earthlovepython@outlook.com">earthlovepython@outlook.com</a><br><br><div>All those variables are informational! You should never try to change them! They are filled in based on the IKE negotiation that happened.</div><div id="ecxAppleMailSignature"><br></div><div id="ecxAppleMailSignature">17/0 is often used for only allowing l2tp packets with IPSec. If that mismatches you need to think about what you are trying to do and reconfigure the two endpoint to match their configuration.</div><div id="ecxAppleMailSignature"><br></div><div id="ecxAppleMailSignature">You did not tell me what you want to accomplish so I don't know what is right or what is wrong </div><div id="ecxAppleMailSignature"><br>Sent from my iPhone</div><div><br>On Nov 2, 2015, at 03:17, ChenHao <<a href="mailto:earthlovepython@outlook.com">earthlovepython@outlook.com</a>> wrote:<br><br></div><blockquote><div>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
}
--></style>
<div dir="ltr">Deal Paul:<br><br>I faced "<span style="color:rgb(31, 73, 125);font-size:12pt;background-color:rgb(255, 0, 255);">0/0</span><span style="font-size:12pt;">" is NOT "</span><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(255, 255, 0);">17/0</span><span style="font-size:12pt;">" while handle "</span><span style="font-size:12pt;"><b>the
peer proposed</b>" in quick mode (see previous email chain). So I guess I shall set PLUTO_PEER_PROTOCOL. <br><br>My guess is really correct ? Can you please confirm ? <br><br><br>Thanks and regards<br><br>Hao Chen<br></span><br><div><hr id="ecxstopSpelling">CC: <a href="mailto:swan@lists.libreswan.org">swan@lists.libreswan.org</a><br>From: <a href="mailto:paul@nohats.ca">paul@nohats.ca</a><br>Subject: Re: [Swan] How to let "PLUTO_PEER_PROTOCOL" and "PLUTO_MY_PROTOCOL" to be 17 (UDP) ?<br>Date: Sun, 1 Nov 2015 17:38:49 +0900<br>To: <a href="mailto:earthlovepython@outlook.com">earthlovepython@outlook.com</a><br><br><div>See leftprotoport= and rightprotopprt= described in the ipsec.conf man page<br><br>Sent from my iPhone</div><div><br>On Nov 1, 2015, at 12:38, ChenHao <<a href="mailto:earthlovepython@outlook.com">earthlovepython@outlook.com</a>> wrote:<br><br></div><blockquote><div>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
}
--></style>
<div dir="ltr">Hi All:<div><br></div><div>/var/log/pluto.log writes:</div><div>=========================</div><div><p class="ecxMsoNormal"><span style="color:#1F497D;">| peer client is
fd6f:d30:1bb6:b419::1</span></p>
<p class="ecxMsoNormal"><span style="color:#1F497D;">| </span><span style="color:red;">peer client protocol/port is <span style="background:yellow;">17/0</span></span><span style="color:#1F497D;"></span></p>
<p class="ecxMsoNormal"><span style="color:#1F497D;">| our client is
fd1d:d30:1bb6:b419::1</span></p>
<p class="ecxMsoNormal"><span style="color:#1F497D;">| </span><span style="color:red;">our client protocol/port is <span style="background:yellow;">17/0</span></span><span style="color:#1F497D;"></span></p>
<p class="ecxMsoNormal"><span style="color:#1F497D;">"ip6.tun0" #113: </span><b>the
peer proposed</b><span style="color:#1F497D;">: fd1d:d30:1bb6:b419::1/128:<span style="background-color:rgb(255, 0, 255);">0/0</span>
-> fd6f:d30:1bb6:b419::1/128:<span style="background-color:rgb(255, 0, 255);">0/0</span></span></p>
<p class="ecxMsoNormal"><span style="color:#1F497D;">| find_client_connection
starting with ip6.tun0</span></p>
<p class="ecxMsoNormal"><span style="color:#1F497D;">| looking for
fd1d:d30:1bb6:b419::1/128:</span><span style="color:rgb(255, 0, 0);background-color:rgb(255, 255, 0);">17/0</span><span style="color:#1F497D;"> -> fd6f:d30:1bb6:b419::1/128:</span><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(255, 255, 0);">17/0</span></p><p class="ecxMsoNormal"><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(255, 255, 0);"><br></span></p><p class="ecxMsoNormal">Because "<span style="color:rgb(31, 73, 125);font-size:12pt;background-color:rgb(255, 0, 255);">0/0</span><span style="font-size:12pt;">" is NOT "</span><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(255, 255, 0);">17/0</span><span style="font-size:12pt;">", </span><span style="color:rgb(31, 73, 125);font-size:12pt;">find_client_connection() return NULL. As a result, </span><span style="color:rgb(31, 73, 125);font-size:12pt;">quick_inI1_outR1_authtail() fail "</span><font color="#1f497d">cannot respond to IPsec SA request because no connection is known for</font><span style="color:rgb(31, 73, 125);font-size:12pt;">" && "</span><font color="#1f497d">sending encrypted notification INVALID_ID_INFORMATION to</font><span style="color:rgb(31, 73, 125);font-size:12pt;">"</span></p><p class="ecxMsoNormal"><br></p><p class="ecxMsoNormal"><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(0, 255, 255);">Question: how to set local protocol to 17 (UDP) instead of 0? </span></p><p class="ecxMsoNormal"><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(255, 255, 0);"><br></span></p><p class="ecxMsoNormal"><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(255, 255, 0);"><br></span></p><p class="ecxMsoNormal"><span style="color:rgb(255, 0, 0);font-size:12pt;background-color:rgb(255, 255, 0);"><br></span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">Corresponding source code:</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">==================</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">quick_inI1_outR1_authtail()</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">{</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">……</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
libreswan_log("the peer proposed: %s:%d/%d -> %s:%d/%d",</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
s1, c-><span style="background:lime;">spd.this.protocol</span>,
c->spd.this.port, </span><span style="font-family:Wingdings;color:#1F497D;background:red;">ç</span><span style="color:#1F497D;background:red;">==</span><span style="color:#1F497D;"> “spd” is “struct spd_route” </span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
d1, c-><span style="background:lime;">spd.that.protocol</span>, c->spd.that.port);</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">……</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">}</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;"> </span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">quick_inI1_outR1_authtail()
calls find_client_connection()</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;"> </span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">find_client_connection()</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">{</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">….</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
DBG_log(" looking for %s:%d/%d -> %s:%d/%d",</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
s1, <span style="background:yellow;">our_protocol</span>,
our_port,</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
d1, <span style="background:yellow;">peer_protocol</span>,
peer_port);</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">….</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
if (samesubnet(&sr->this.client, our_net) &&</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
samesubnet(&sr->that.client, peer_net) &&</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
</span><b><span style="background:aqua;">sr->this.protocol</span>
== our_protocol</b> <span style="color:#1F497D;">&& </span><span style="font-family:Wingdings;color:#1F497D;background:red;">ç</span><span style="color:#1F497D;background:red;">==</span><span style="color:#1F497D;"> Does NOT match. “</span><b>sr</b><span style="color:#1F497D;">” is “struct spd_route”. As a result, failed. </span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
(!sr->this.port ||</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
sr->this.port == our_port) &&</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
(sr->that.protocol == peer_protocol) &&</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
(!sr->that.port ||</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
sr->that.port == peer_port)) {</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
passert(oriented(*c));</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
if (routed(sr->routing))</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
return c; </span><span style="font-family:Wingdings;color:#1F497D;background:red;">ç</span><span style="color:#1F497D;background:red;"> ==</span><span style="color:#1F497D;">
We expect return here, but ….</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;"> </span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
unrouted = c;</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">
}</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">….</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;">}</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;"> </span></p><p class="ecxMsoNormal">
</p><p class="ecxMsoNormal"><span style="color:#1F497D;">“<span style="background:lime;">spd.this.protocol</span>” is same as “</span><b><span style="background:aqua;">sr->this.protocol</span></b><span style="color:#1F497D;">”</span></p><p class="ecxMsoNormal"><span style="color:#1F497D;"><br></span></p><p class="ecxMsoNormal"><span style="color:#1F497D;"><br></span></p><p class="ecxMsoNormal"><span style="color:#1F497D;"><br></span></p><p class="ecxMsoNormal"><br></p></div> </div>
</div></blockquote><blockquote><div><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></div> </div>
</div></blockquote></div> </div>
</div></blockquote></body></html>