subject:"Re\: \[strongSwan\] received TS_UNACCEPTABLE notify, no CHILD

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread S M Tanjeen


Hi Mr Brunner,

Thanks a lot for pointing out. This plugin was enabled unintentionally 
since the firmware build.


My Hub and spoke is working now.

Regards,

Tanjeen

On 8/17/21 11:54 PM, Tobias Brunner wrote:

Hi,

error installing route with policy 192.168.10.0/24 === 
192.168.20.0/24 out


Why are you using kernel-libipsec [1] on your hub?

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread Tobias Brunner


Hi,


error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out


Why are you using kernel-libipsec [1] on your hub?

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-16 Thread Jafar Al-Gharaibeh



On 2/16/2018 3:39 AM, Sujoy wrote:


The config file is same but then also it failed by saying "unable to 
install inbound and outbound IPsec SA (SAD) in kernel failed to 
establish CHILD_SA, keeping IKE_SA".




It is failing with the error "IPsec SA: unsupported mode". That means 
transport (USE_TRANSP  one line above) mode is not supported. This is 
due to using kernel-libipsec plugin (look at the loaded plugins list) 
which  doesn't not implement transport mode as far as I  know. Either 
disable that plugin or switch back to tunnel mode.

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-09 Thread Jafar Al-Gharaibeh

Can  you send the logs from the other side? the one that generates the 
TS_UNACCEPTABLE notify.


--Jafar

On 2/9/2018 12:31 AM, Sujoy wrote:


Hi Jafar/Noel,

What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE] 
failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in 
the new installed Linux also.



root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (464 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (368 
bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (160 
bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) 
N(TS_UNACCEPT) ]

authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling rekeying in 2642s
maximum IKE_SA lifetime 3182s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
establishing connection 'tunnel' failed



Feb  9 11:55:44 localhost charon: 14[NET] sending packet: from 
192.168.10.38[4500] to 192.168.10.40[4500] (368 bytes)
Feb  9 11:55:44 localhost charon: 16[NET] received packet: from 
192.168.10.40[4500] to 192.168.10.38[4500] (160 bytes)
Feb  9 11:55:44 localhost charon: 16[ENC] parsed IKE_AUTH response 1 [ 
IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
Feb  9 11:55:44 localhost charon: 16[IKE] authentication of 
'192.168.10.40' with pre-shared key successful
Feb  9 11:55:44 localhost charon: 16[IKE] IKE_SA tunnel[1] established 
between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

Feb  9 11:55:44 localhost charon: 16[IKE] scheduling rekeying in 2642s
Feb  9 11:55:44 localhost charon: 16[IKE] maximum IKE_SA lifetime 3182s
*Feb  9 11:55:44 localhost charon: 16[IKE] received TS_UNACCEPTABLE 
notify, no CHILD_SA built**
**Feb  9 11:55:44 localhost charon: 16[IKE] failed to establish 
CHILD_SA, keeping IKE_SA*

Feb  9 11:55:44 localhost charon: 16[IKE] peer supports MOBIKE


Thanks
On Friday 09 February 2018 11:21 AM, Sujoy wrote:


Thanks Jafar, for the update. But after setting up without subnet and 
"type=tunnel or transport" it shows the same error "failed to 
establish CHILD_SA, keeping IKE_SA. What should be issue.



Thanks

On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote:

Sujoy,

  Just to make sure everything is working OK. Try setting:

    left=192.168.10.40
    right=192.168.10.38

and

    left=192.168.10.38
    right=192.168.10.40

Comment out left/rightsubnet configs. They should default to the 
same IP addresses as left/right.


--Jafar


On 2/8/2018 12:26 AM, Sujoy wrote:
Hi Jafar,    Peer is also using strongswan 5.3.3. following is the 
configuration. We need tunnel because once it is connected in LAN 
we want to implement in WAN/Internet. Output of the 192.168.10.40 
is bellow.


    Config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.38
    rightsubnet=192.168.10.38/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=psk
    auto=route
    keyexchange=ikev2
    type=tunnel

root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 
4.4.0-112-generic, x86_64):

  uptime: 114 minutes, since Feb 08 09:58:49 2018
  malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 
0/0/0/0, scheduled: 5
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac 
curl attr kernel-netlink resolve socket-default stroke updown 
xauth-generic

Listening IP addresses:
  192.168.10.40
  10.8.0.1
Connections:
  tunnel:  %any...192.168.10.38  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.38] uses pre-shared key

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Sujoy


Hi Jafar/Noel,

What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE] 
failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in the 
new installed Linux also.



root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (464 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (368 bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (160 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) 
N(TS_UNACCEPT) ]

authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling rekeying in 2642s
maximum IKE_SA lifetime 3182s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
establishing connection 'tunnel' failed



Feb  9 11:55:44 localhost charon: 14[NET] sending packet: from 
192.168.10.38[4500] to 192.168.10.40[4500] (368 bytes)
Feb  9 11:55:44 localhost charon: 16[NET] received packet: from 
192.168.10.40[4500] to 192.168.10.38[4500] (160 bytes)
Feb  9 11:55:44 localhost charon: 16[ENC] parsed IKE_AUTH response 1 [ 
IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
Feb  9 11:55:44 localhost charon: 16[IKE] authentication of 
'192.168.10.40' with pre-shared key successful
Feb  9 11:55:44 localhost charon: 16[IKE] IKE_SA tunnel[1] established 
between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

Feb  9 11:55:44 localhost charon: 16[IKE] scheduling rekeying in 2642s
Feb  9 11:55:44 localhost charon: 16[IKE] maximum IKE_SA lifetime 3182s
*Feb  9 11:55:44 localhost charon: 16[IKE] received TS_UNACCEPTABLE 
notify, no CHILD_SA built**
**Feb  9 11:55:44 localhost charon: 16[IKE] failed to establish 
CHILD_SA, keeping IKE_SA*

Feb  9 11:55:44 localhost charon: 16[IKE] peer supports MOBIKE


Thanks
On Friday 09 February 2018 11:21 AM, Sujoy wrote:


Thanks Jafar, for the update. But after setting up without subnet and 
"type=tunnel or transport" it shows the same error "failed to 
establish CHILD_SA, keeping IKE_SA. What should be issue.



Thanks

On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote:

Sujoy,

  Just to make sure everything is working OK. Try setting:

    left=192.168.10.40
    right=192.168.10.38

and

    left=192.168.10.38
    right=192.168.10.40

Comment out left/rightsubnet configs. They should default to the same 
IP addresses as left/right.


--Jafar


On 2/8/2018 12:26 AM, Sujoy wrote:
Hi Jafar,    Peer is also using strongswan 5.3.3. following is the 
configuration. We need tunnel because once it is connected in LAN we 
want to implement in WAN/Internet. Output of the 192.168.10.40 is 
bellow.


    Config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.38
    rightsubnet=192.168.10.38/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=psk
    auto=route
    keyexchange=ikev2
    type=tunnel

root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 
4.4.0-112-generic, x86_64):

  uptime: 114 minutes, since Feb 08 09:58:49 2018
  malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 5
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac 
curl attr kernel-netlink resolve socket-default stroke updown 
xauth-generic

Listening IP addresses:
  192.168.10.40
  10.8.0.1
Connections:
  tunnel:  %any...192.168.10.38  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.38] uses pre-shared key 
authentication
  tunnel:   child:  dynamic === 192.168.10.0/24 TUNNEL, 
dpdaction=restart

Security Associations (1 up, 0 connecting):

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Sujoy

Thanks Jafar, for the update. But after setting up without subnet and 
"type=tunnel or transport" it shows the same error "failed to establish 
CHILD_SA, keeping IKE_SA. What should be issue.



Thanks

On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote:

Sujoy,

  Just to make sure everything is working OK. Try setting:

    left=192.168.10.40
    right=192.168.10.38

and

    left=192.168.10.38
    right=192.168.10.40

Comment out left/rightsubnet configs. They should default to the same 
IP addresses as left/right.


--Jafar


On 2/8/2018 12:26 AM, Sujoy wrote:
Hi Jafar,    Peer is also using strongswan 5.3.3. following is the 
configuration. We need tunnel because once it is connected in LAN we 
want to implement in WAN/Internet. Output of the 192.168.10.40 is 
bellow.


    Config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.38
    rightsubnet=192.168.10.38/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=psk
    auto=route
    keyexchange=ikev2
    type=tunnel

root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 
4.4.0-112-generic, x86_64):

  uptime: 114 minutes, since Feb 08 09:58:49 2018
  malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 5
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl 
attr kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:
  192.168.10.40
  10.8.0.1
Connections:
  tunnel:  %any...192.168.10.38  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.38] uses pre-shared key 
authentication
  tunnel:   child:  dynamic === 192.168.10.0/24 TUNNEL, 
dpdaction=restart

Security Associations (1 up, 0 connecting):
  tunnel[3]: ESTABLISHED 25 minutes ago, 
192.168.10.40[192.168.10.40]...192.168.10.38[192.168.10.38]
  tunnel[3]: IKEv2 SPIs: c1a42433ade9fa28_i a52cfea6d767c397_r*, 
pre-shared key reauthentication in 24 minutes
  tunnel[3]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048




Thanks

On Wednesday 07 February 2018 09:06 PM, Jafar Al-Gharaibeh wrote:



On 2/7/2018 9:22 AM, Sujoy wrote:


Thanks Jafar, for the reply. But after removing subnet from the 
config also tunneling failed. Is there any issue with the version 
of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no 
CHILD_SA built"


"TS_UNACCEPTABLE notify"  means the peer didn't like the proposed 
traffic selector.  The log shows that your IKE SA is up, so you 
don't have a problem there. I can't tell you what your rightsubnet 
should be unless you tell us more about the setup you have. What is 
your peer running? is it also strongSwan?


If you only want to encrypt traffic from  192.168.10.38  to 
192.168.10.40 and you don't have other subnets/hosts, you can switch 
the connection type to transport mode ("type=trasnport"). Both sides 
must agree on this. transport doesn't require left/rightsubnets.


--Jafar



   Config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=secret
    auto=route
    keyexchange=ikev2
    type=tunnel


root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 
bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 
bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] 
(348 bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] 
(156 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(TS_UNACCEPT) ]

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Jafar Al-Gharaibeh


Sujoy,

  Just to make sure everything is working OK. Try setting:

    left=192.168.10.40
    right=192.168.10.38

and

    left=192.168.10.38
    right=192.168.10.40

Comment out left/rightsubnet configs. They should default to the same IP 
addresses as left/right.


--Jafar


On 2/8/2018 12:26 AM, Sujoy wrote:
Hi Jafar,    Peer is also using strongswan 5.3.3. following is the 
configuration. We need tunnel because once it is connected in LAN we 
want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow.


    Config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.38
    rightsubnet=192.168.10.38/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=psk
    auto=route
    keyexchange=ikev2
    type=tunnel

root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 
4.4.0-112-generic, x86_64):

  uptime: 114 minutes, since Feb 08 09:58:49 2018
  malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 5
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl 
attr kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:
  192.168.10.40
  10.8.0.1
Connections:
  tunnel:  %any...192.168.10.38  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.38] uses pre-shared key authentication
  tunnel:   child:  dynamic === 192.168.10.0/24 TUNNEL, 
dpdaction=restart

Security Associations (1 up, 0 connecting):
  tunnel[3]: ESTABLISHED 25 minutes ago, 
192.168.10.40[192.168.10.40]...192.168.10.38[192.168.10.38]
  tunnel[3]: IKEv2 SPIs: c1a42433ade9fa28_i a52cfea6d767c397_r*, 
pre-shared key reauthentication in 24 minutes
  tunnel[3]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048




Thanks

On Wednesday 07 February 2018 09:06 PM, Jafar Al-Gharaibeh wrote:



On 2/7/2018 9:22 AM, Sujoy wrote:


Thanks Jafar, for the reply. But after removing subnet from the 
config also tunneling failed. Is there any issue with the version of 
strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"


"TS_UNACCEPTABLE notify"  means the peer didn't like the proposed 
traffic selector.  The log shows that your IKE SA is up, so you don't 
have a problem there. I can't tell you what your rightsubnet should 
be unless you tell us more about the setup you have. What is your 
peer running? is it also strongSwan?


If you only want to encrypt traffic from  192.168.10.38  to 
192.168.10.40 and you don't have other subnets/hosts, you can switch 
the connection type to transport mode ("type=trasnport"). Both sides 
must agree on this. transport doesn't require left/rightsubnets.


--Jafar



   Config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=secret
    auto=route
    keyexchange=ikev2
    type=tunnel


root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 
bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 
bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 
bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] 
(156 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(TS_UNACCEPT) ]

authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling reauthentication in 2819s
maximum IKE_SA lifetime 3359s
*received TS_UNACCEPTABLE notify, no

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Jafar Al-Gharaibeh



On 2/8/2018 2:53 AM, Tore Anderson wrote:

* Jafar Al-Gharaibeh 


You can NOT have the least significant octet set to zero with a 32-bit
netmask

Sure you can. There is no fundamental difference between 192.168.10.0/32
and, say, 192.168.10.10/32. Both are equally valid, and both refer to a
single address/host.


Well, sure. We are not talking about whether this is a valid address or 
not from a pure theoretical perspective. That address doesn't get 
assigned to hosts generally. So, in the context of strongSwan config I 
doubt that what Sujoy wants unless he knows what he is doing which is 
something I pointed out in the email.


Thanks for pointing that out.
--Jafar



Tore

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Tore Anderson

* Jafar Al-Gharaibeh 

> You can NOT have the least significant octet set to zero with a 32-bit 
> netmask

Sure you can. There is no fundamental difference between 192.168.10.0/32
and, say, 192.168.10.10/32. Both are equally valid, and both refer to a
single address/host.

Tore

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Sujoy

Hi Jafar,    Peer is also using strongswan 5.3.3. following is the 
configuration. We need tunnel because once it is connected in LAN we 
want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow.


    Config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.38
    rightsubnet=192.168.10.38/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=psk
    auto=route
    keyexchange=ikev2
    type=tunnel

root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 4.4.0-112-generic, 
x86_64):

  uptime: 114 minutes, since Feb 08 09:58:49 2018
  malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 5
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 
pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr 
kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:
  192.168.10.40
  10.8.0.1
Connections:
  tunnel:  %any...192.168.10.38  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.38] uses pre-shared key authentication
  tunnel:   child:  dynamic === 192.168.10.0/24 TUNNEL, 
dpdaction=restart

Security Associations (1 up, 0 connecting):
  tunnel[3]: ESTABLISHED 25 minutes ago, 
192.168.10.40[192.168.10.40]...192.168.10.38[192.168.10.38]
  tunnel[3]: IKEv2 SPIs: c1a42433ade9fa28_i a52cfea6d767c397_r*, 
pre-shared key reauthentication in 24 minutes
  tunnel[3]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048




Thanks

On Wednesday 07 February 2018 09:06 PM, Jafar Al-Gharaibeh wrote:



On 2/7/2018 9:22 AM, Sujoy wrote:


Thanks Jafar, for the reply. But after removing subnet from the 
config also tunneling failed. Is there any issue with the version of 
strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"


"TS_UNACCEPTABLE notify"  means the peer didn't like the proposed 
traffic selector.  The log shows that your IKE SA is up, so you don't 
have a problem there. I can't tell you what your rightsubnet should be 
unless you tell us more about the setup you have. What is your peer 
running? is it also strongSwan?


If you only want to encrypt traffic from  192.168.10.38  to 
192.168.10.40 and you don't have other subnets/hosts, you can switch 
the connection type to transport mode ("type=trasnport"). Both sides 
must agree on this. transport doesn't require left/rightsubnets.


--Jafar



   Config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=secret
    auto=route
    keyexchange=ikev2
    type=tunnel


root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 
bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 
bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156 
bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(TS_UNACCEPT) ]

authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling reauthentication in 2819s
maximum IKE_SA lifetime 3359s
*received TS_UNACCEPTABLE notify, no CHILD_SA built**
**failed to establish CHILD_SA, keeping IKE_SA*
received AUTH_LIFETIME of 2637s, scheduling reauthentication in 2097s
peer supports MOBIKE
establishing connection 'tunnel' failed


root@client:~# ipsec statusall
Status of IKE charon daemon *(strongSwan 5.3.3, Linux 
4.4.0-112-generic, x86_64)*:

  uptime: 2

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Jafar Al-Gharaibeh




On 2/7/2018 9:22 AM, Sujoy wrote:


Thanks Jafar, for the reply. But after removing subnet from the config 
also tunneling failed. Is there any issue with the version of 
strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"


"TS_UNACCEPTABLE notify"  means the peer didn't like the proposed 
traffic selector.  The log shows that your IKE SA is up, so you don't 
have a problem there. I can't tell you what your rightsubnet should be 
unless you tell us more about the setup you have. What is your peer 
running? is it also strongSwan?


If you only want to encrypt traffic from  192.168.10.38  to 
192.168.10.40 and you don't have other subnets/hosts, you can switch the 
connection type to transport mode ("type=trasnport"). Both sides must 
agree on this. transport doesn't require left/rightsubnets.


--Jafar



   Config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=secret
    auto=route
    keyexchange=ikev2
    type=tunnel


root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 
bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156 
bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(TS_UNACCEPT) ]

authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling reauthentication in 2819s
maximum IKE_SA lifetime 3359s
*received TS_UNACCEPTABLE notify, no CHILD_SA built**
**failed to establish CHILD_SA, keeping IKE_SA*
received AUTH_LIFETIME of 2637s, scheduling reauthentication in 2097s
peer supports MOBIKE
establishing connection 'tunnel' failed


root@client:~# ipsec statusall
Status of IKE charon daemon *(strongSwan 5.3.3, Linux 
4.4.0-112-generic, x86_64)*:

  uptime: 2 minutes, since Feb 07 20:44:23 2018
  malloc: sbrk 2703360, mmap 0, used 519600, free 2183760
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 4
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl 
attr kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:
  192.168.10.38
  192.168.3.107

Connections:
  tunnel:  %any...192.168.10.40  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.40] uses pre-shared key authentication
  tunnel:   child:  dynamic === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
  tunnel[1]: ESTABLISHED 2 minutes ago, 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]
  tunnel[1]: IKEv2 SPIs: 175dcf9cdcf11b38_i* 9cc05896738a5e45_r, 
pre-shared key reauthentication in 32 minutes
  tunnel[1]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048


Thanks

On Wednesday 07 February 2018 08:31 PM, Jafar Al-Gharaibeh wrote:

Sujoy,

  Are you sure about

   rightsubnet=192.168.10.0/32

 This subnet gets you nothing unless you know that it has a special 
meaning in the config that I'm not aware of. You can have the least 
significant octet set to zero with a 32-bit netmask. What is the 
rightsubnet that you are trying to protect? is it all 
192.168.10.0/24? or just  one host like 192.168.10.100?


--Jafar



On 2/7/2018 12:44 AM, Sujoy wrote:


Hi Noel,

Still cannot establish tunnel. logs doesn't show anything. Can 
someone help to solve this.


Client configuration

config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    rightsubnet=192.168.10.0/32
    ike=aes128-md5-modp1536
    esp=aes128-sha1
    keyingtries=%forever

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Sujoy

Thanks Jafar, for the reply. But after removing subnet from the config 
also tunneling failed. Is there any issue with the version of strongswan 
5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"



   Config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=yes
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    keyingtries=1
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    dpdaction=restart
    authby=secret
    auto=route
    keyexchange=ikev2
    type=tunnel


root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) ]

sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(TS_UNACCEPT) ]

authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling reauthentication in 2819s
maximum IKE_SA lifetime 3359s
*received TS_UNACCEPTABLE notify, no CHILD_SA built**
**failed to establish CHILD_SA, keeping IKE_SA*
received AUTH_LIFETIME of 2637s, scheduling reauthentication in 2097s
peer supports MOBIKE
establishing connection 'tunnel' failed


root@client:~# ipsec statusall
Status of IKE charon daemon *(strongSwan 5.3.3, Linux 4.4.0-112-generic, 
x86_64)*:

  uptime: 2 minutes, since Feb 07 20:44:23 2018
  malloc: sbrk 2703360, mmap 0, used 519600, free 2183760
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 4
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 
pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr 
kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:
  192.168.10.38
  192.168.3.107

Connections:
  tunnel:  %any...192.168.10.40  IKEv2, dpddelay=30s
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.40] uses pre-shared key authentication
  tunnel:   child:  dynamic === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
  tunnel[1]: ESTABLISHED 2 minutes ago, 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]
  tunnel[1]: IKEv2 SPIs: 175dcf9cdcf11b38_i* 9cc05896738a5e45_r, 
pre-shared key reauthentication in 32 minutes
  tunnel[1]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048


Thanks

On Wednesday 07 February 2018 08:31 PM, Jafar Al-Gharaibeh wrote:

Sujoy,

  Are you sure about

   rightsubnet=192.168.10.0/32

 This subnet gets you nothing unless you know that it has a special 
meaning in the config that I'm not aware of. You can have the least 
significant octet set to zero with a 32-bit netmask. What is the 
rightsubnet that you are trying to protect? is it all 192.168.10.0/24? 
or just  one host like  192.168.10.100?


--Jafar



On 2/7/2018 12:44 AM, Sujoy wrote:


Hi Noel,

Still cannot establish tunnel. logs doesn't show anything. Can 
someone help to solve this.


Client configuration

config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    rightsubnet=192.168.10.0/32
    ike=aes128-md5-modp1536
    esp=aes128-sha1
    keyingtries=%forever
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    #dpdaction=restart
    authby=secret
    auto=start
    keyexchange=ikev2
    type=tunnel
    mobike=no
    #pfs=no
    reauth=no

Server setup

config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    rightsubnet=192.168.10.0/32
    ike=aes128-md5-modp1536
    esp=aes128-sha1
    keyingtries=%forever
    ikelifetime=1h
    lifetime=8h

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Jafar Al-Gharaibeh



On 2/7/2018 9:01 AM, Jafar Al-Gharaibeh wrote:

You can have the least significant octet set to zero with a 32-bit netmask


Sorry, this should read:

You can NOT have the least significant octet set to zero with a 32-bit 
netmask

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Jafar Al-Gharaibeh


Sujoy,

  Are you sure about

   rightsubnet=192.168.10.0/32

 This subnet gets you nothing unless you know that it has a special 
meaning in the config that I'm not aware of. You can have the least 
significant octet set to zero with a 32-bit netmask. What is the 
rightsubnet that you are trying to protect? is it all 192.168.10.0/24? 
or just  one host like  192.168.10.100?


--Jafar



On 2/7/2018 12:44 AM, Sujoy wrote:


Hi Noel,

Still cannot establish tunnel. logs doesn't show anything. Can someone 
help to solve this.


Client configuration

config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    rightsubnet=192.168.10.0/32
    ike=aes128-md5-modp1536
    esp=aes128-sha1
    keyingtries=%forever
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    #dpdaction=restart
    authby=secret
    auto=start
    keyexchange=ikev2
    type=tunnel
    mobike=no
    #pfs=no
    reauth=no

Server setup

config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    rightsubnet=192.168.10.0/32
    ike=aes128-md5-modp1536
    esp=aes128-sha1
    keyingtries=%forever
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    #dpdaction=restart
    authby=secret
    auto=start
    keyexchange=ikev2
    type=tunnel
    mobike=no
    #pfs=no
    reauth=no


root@client:~# *ipsec up tunnel*
initiating IKE_SA tunnel[2] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (1064 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1536
initiating IKE_SA tunnel[2] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (1000 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (392 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (332 
bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (108 
bytes)

parsed IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]
authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[2] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling rekeying in 2525s
maximum IKE_SA lifetime 3065s
*received TS_UNACCEPTABLE notify, no CHILD_SA built**
**failed to establish CHILD_SA, keeping IKE_SA**
**establishing connection 'tunnel' failed*
root@client:~#


Ipsec statusall

Status of IKE charon daemon (*strongSwan 5.3.3, Linux 
4.4.0-112-generic, x86_64*):

  uptime: 41 seconds, since Feb 07 12:08:32 2018
  malloc: sbrk 2703360, mmap 0, used 519216, free 2184144
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 2
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl 
attr kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:
  192.168.10.38
  192.168.3.107

Connections:
  tunnel:  %any...192.168.10.40  IKEv2
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.40] uses pre-shared key authentication
  tunnel:   child:  dynamic === 192.168.10.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
  tunnel[1]: ESTABLISHED 41 seconds ago, 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]
  tunnel[1]: IKEv2 SPIs: 53b251675b863a7d_i* 57d33cd8149f729f_r, 
rekeying in 41 minutes
  tunnel[1]: IKE proposal: 
AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536



On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote:

Hi,

Check the logs of the remote side.
It means the remote peer did not like the proposed traffic selector. It was 
probably outside of the network range that its own configuration allows, 
meaning narrowing failed.

Kind regards

Noel


On 16.01.2018 07:25, Sujoy wrote:

Hi Noel,

Same strongswan 5.3.3 configuration working in my VM(client) to desktop server. 
But not working from my OpenWRT to Global IP

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-01-19 Thread Noel Kuntze

Hi,

Why did you remove the integrity algorithm from the proposal?
Use a a known integrity algorithm in the proposal and it will work.

Kind regards

Noel

On 19.01.2018 15:35, Sujoy wrote:
> Hi Noel and lists,
> 
> I am getting the following error while trying to connect from OpwnWRT, the 
> same server with other Linux clients are connected. There are no logs 
> available in the device. The device connected but failed to establish 
> *tunnel.*
> 
> it will be a big help for me, if anyone can help in solving this issue. 
> Thanks a lot once again for the support.
> 
> 
> 
> Server screen
> 
> 
> 
> Thanks
> 
> On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote:
>> Hi,
>>
>> Check the logs of the remote side.
>> It means the remote peer did not like the proposed traffic selector. It was 
>> probably outside of the network range that its own configuration allows, 
>> meaning narrowing failed.
>>
>> Kind regards
>>
>> Noel
>>
>>
>> On 16.01.2018 07:25, Sujoy wrote:
>>> Hi Noel,
>>>
>>> Same strongswan 5.3.3 configuration working in my VM(client) to desktop 
>>> server. But not working from my OpenWRT to Global IP used nated Linux 
>>> server. Can you help me to solve this. 
>>>
>>> what means "received TS_UNACCEPTABLE notify, no CHILD_SA built"
>>>
>>> Server config file.
>>>
>>>
>>>
>>>
>>> Thanks & Regards
>>>
>>> Sujoy
>>>
>>> On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:
 Hi,

 Only on the responder.
 If you use dpd and enforce UDP encapsulation, you do not need to open any 
 ports on the initiator side.
 Refer to the UsableExamples wiki page[1] for example configurations that 
 are usable in the real world.

 Kind regards

 Noel

 [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

 On 28.12.2017 08:51, Sujoy wrote:
> Hi All,
>
>
> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will 
> be running in CentOS and the OpenWRt router will connect to it using VPN. 
> I have configured the server part, struggling to configure the client 
> part. Do we need to open port 4500 for this first.
>
> Anyone can suggest any solution for this.
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-01-16 Thread Noel Kuntze

Hi,

Check the logs of the remote side.
It means the remote peer did not like the proposed traffic selector. It was 
probably outside of the network range that its own configuration allows, 
meaning narrowing failed.

Kind regards

Noel


On 16.01.2018 07:25, Sujoy wrote:
> Hi Noel,
> 
> Same strongswan 5.3.3 configuration working in my VM(client) to desktop 
> server. But not working from my OpenWRT to Global IP used nated Linux server. 
> Can you help me to solve this. 
> 
> what means "received TS_UNACCEPTABLE notify, no CHILD_SA built"
> 
> Server config file.
> 
> 
> 
> 
> Thanks & Regards
> 
> Sujoy
> 
> On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:
>> Hi,
>>
>> Only on the responder.
>> If you use dpd and enforce UDP encapsulation, you do not need to open any 
>> ports on the initiator side.
>> Refer to the UsableExamples wiki page[1] for example configurations that are 
>> usable in the real world.
>>
>> Kind regards
>>
>> Noel
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
>>
>> On 28.12.2017 08:51, Sujoy wrote:
>>> Hi All,
>>>
>>>
>>> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be 
>>> running in CentOS and the OpenWRt router will connect to it using VPN. I 
>>> have configured the server part, struggling to configure the client part. 
>>> Do we need to open port 4500 for this first.
>>>
>>> Anyone can suggest any solution for this.
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2017-06-13 Thread Noel Kuntze

Hello,

On 12.06.2017 10:10, Dharrshen ( N'osairis ) wrote:
>
> config connection
> option ikeversion '2'
> option enabled 'yes'
> option name 'VPNHUB01'
> option waniface 'wan1 wan2'
> option locallan '11.11.11.1'
> option locallanmask '255.255.255.0'
> option remoteaddress '103.54.93.45'
> option remotelan '12.12.12.1'
> option remotelanmask '255.255.255.0'
> option type 'tunnel'
> option dpdaction 'restart'
> option dpddelay '30s'
> option dpdtimeout '120s'
> option ike 'aes128-sha1-modp1024'
> option esp 'aes128-sha1'
> option ikelifetime '24h'
> option rekeymargin '9m'
> option keylife '8h'
> option keyingtries '%forever'
> option auto 'start'
> option authby 'psk'
>
> config secret
> option enabled 'yes'
> option remoteaddress '103.54.93.45'
> option secret 'cisco'
> option secrettype 'psk'
>
>
>
You might have a lot of trouble getting this to work with OpenWRT and the 
default firewall. Write your own rules, don't use LUCI.
Also: use auto=route, not auto=start and make sure to use better ciphers and 
KEX algorithms.
I hope that isn't your actual PSK. It's very weak and I guess anybody can 
bruteforce it under 5 tries.

> Logs lines :
>
> Jun 12 14:49:22 daemon.info  00E0C813015C ipsec: 
> 10[NET]  received packet: from 103.54.93.45[4500] to 
> 10.8.162.93[4500] (220 bytes)
> Jun 12 14:49:22 daemon.info  00E0C813015C ipsec: 
> 10[ENC]  parsed CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
> Jun 12 14:49:22 daemon.info  00E0C813015C ipsec: 
> 10[IKE]  received TS_UNACCEPTABLE notify, no CHILD_SA built
> Jun 12 14:49:22 daemon.info  00E0C813015C ipsec: 
> 10[IKE]  failed to establish CHILD_SA, keeping IKE_SA
> Jun 12 14:49:45 daemon.info  00E0C813015C ipsec: 
> 10[IKE]  sending keep alive to 103.54.93.45[4500]
> Jun 12 14:49:52 daemon.info  00E0C813015C ipsec: 
> 11[IKE]  sending DPD request
>
The remote peer sends you an error indicating the leftsubnet and rightsubnet 
parameters are invalid. Verify the settings
and/or ask the remote peer for logs.

Kind regards

Noel



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

17 matches

Site Navigation

Mail list logo

Footer information