IKEv2: CHILD_SA is not created

Денис Давыдов Fri, 07 May 2021 02:18:48 -0700

Hello all,

I can't understand why I got SA_INIT timeout:
May  5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: sa_free:
SA_INIT timeout


1.1.1.1 (crypto-gw2) - my host
7.7.7.7 - our isp provider (some of cisco devices)

/etc/iked.conf (on 1.1.1.1):

ikev2 crypto-primary active esp \
      from 10.21.139.8/30 to 2.2.2.2 \
      from 10.21.139.8/30 to 3.3.3.3 \
      peer 7.7.7.7 \
      ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048
\
      childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
      ikelifetime 86400 lifetime 28800 \
      psk "secret"

The remote side claims to have the same settings.

crypto-gw2# ikectl sh sa | grep 7.7.7.7
iked_sas: 0xb0e1878b7d0 rspi 0x2d606f017d098928 ispi 0xd0497626849535cd
1.1.1.1:500->7.7.7.7:500<IPV4/217.118.86.15>[] AUTH_SUCCESS i nexti 0x0 pol
0xb0e9b38d000

Why CHILD_SA is not being created? I tried to figure it out from the logs
but couldn't.

Verbose log here:
https://pastebin.com/yifQdjGy

I would be glad for any advice.

--
Sincerely,
Denis

IKEv2: CHILD_SA is not created

Reply via email to