Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread S M Tanjeen
Hi Mr Brunner, Thanks a lot for pointing out. This plugin was enabled unintentionally since the firmware build. My Hub and spoke is working now. Regards, Tanjeen On 8/17/21 11:54 PM, Tobias Brunner wrote: Hi, error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread Tobias Brunner
Hi, error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out Why are you using kernel-libipsec [1] on your hub? Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec

[strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread S M Tanjeen
Hi, I'm using strongSwan 5.6.3 on Openwrt for x86 architecture. Here i'm trying to achieve the hub-n-spoke setup [a network diagram has been attached] for connecting/routing multiple subnets behind more than two gateways. I've tried numerous changes in ipsec.conf as suggested, but I'm stuck

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-16 Thread Jafar Al-Gharaibeh
On 2/16/2018 3:39 AM, Sujoy wrote: The config file is same but then also it failed by saying "unable to install inbound and outbound IPsec SA (SAD) in kernel failed to establish CHILD_SA, keeping IKE_SA". It is failing with the error "IPsec SA: unsupported mode". That means transport

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-09 Thread Jafar Al-Gharaibeh
Can  you send the logs from the other side? the one that generates the TS_UNACCEPTABLE notify. --Jafar On 2/9/2018 12:31 AM, Sujoy wrote: Hi Jafar/Noel, What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE] failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Sujoy
Hi Jafar/Noel, What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE] failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in the new installed Linux also. root@client:~# ipsec up tunnel initiating IKE_SA tunnel[1] to 192.168.10.40 generating IKE_SA_INIT request 0

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Sujoy
Thanks Jafar, for the update. But after setting up without subnet and "type=tunnel or transport" it shows the same error "failed to establish CHILD_SA, keeping IKE_SA. What should be issue. Thanks On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote: Sujoy,   Just to make sure

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Jafar Al-Gharaibeh
Sujoy,   Just to make sure everything is working OK. Try setting:     left=192.168.10.40     right=192.168.10.38 and     left=192.168.10.38     right=192.168.10.40 Comment out left/rightsubnet configs. They should default to the same IP addresses as left/right. --Jafar

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Jafar Al-Gharaibeh
On 2/8/2018 2:53 AM, Tore Anderson wrote: * Jafar Al-Gharaibeh You can NOT have the least significant octet set to zero with a 32-bit netmask Sure you can. There is no fundamental difference between 192.168.10.0/32 and, say, 192.168.10.10/32. Both are equally valid, and

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-08 Thread Tore Anderson
* Jafar Al-Gharaibeh > You can NOT have the least significant octet set to zero with a 32-bit > netmask Sure you can. There is no fundamental difference between 192.168.10.0/32 and, say, 192.168.10.10/32. Both are equally valid, and both refer to a single address/host. Tore

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Sujoy
Hi Jafar,    Peer is also using strongswan 5.3.3. following is the configuration. We need tunnel because once it is connected in LAN we want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow.     Config setup     charondebug="all"     uniqueids=yes    

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Jafar Al-Gharaibeh
On 2/7/2018 9:22 AM, Sujoy wrote: Thanks Jafar, for the reply. But after removing subnet from the config also tunneling failed. Is there any issue with the version of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built" "TS_UNACCEPTABLE notify"  means the peer didn't

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Sujoy
Thanks Jafar, for the reply. But after removing subnet from the config also tunneling failed. Is there any issue with the version of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"    Config setup     charondebug="all"     uniqueids=yes    

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Jafar Al-Gharaibeh
On 2/7/2018 9:01 AM, Jafar Al-Gharaibeh wrote: You can have the least significant octet set to zero with a 32-bit netmask Sorry, this should read: You can NOT have the least significant octet set to zero with a 32-bit netmask

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-07 Thread Jafar Al-Gharaibeh
Sujoy,   Are you sure about    rightsubnet=192.168.10.0/32  This subnet gets you nothing unless you know that it has a special meaning in the config that I'm not aware of. You can have the least significant octet set to zero with a 32-bit netmask. What is the rightsubnet that you are trying

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-01-19 Thread Noel Kuntze
Hi, Why did you remove the integrity algorithm from the proposal? Use a a known integrity algorithm in the proposal and it will work. Kind regards Noel On 19.01.2018 15:35, Sujoy wrote: > Hi Noel and lists, > > I am getting the following error while trying to connect from OpwnWRT, the > same

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-01-16 Thread Noel Kuntze
Hi, Check the logs of the remote side. It means the remote peer did not like the proposed traffic selector. It was probably outside of the network range that its own configuration allows, meaning narrowing failed. Kind regards Noel On 16.01.2018 07:25, Sujoy wrote: > Hi Noel, > > Same

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2017-06-13 Thread Noel Kuntze
Hello, On 12.06.2017 10:10, Dharrshen ( N'osairis ) wrote: > > config connection > option ikeversion '2' > option enabled 'yes' > option name 'VPNHUB01' > option waniface 'wan1 wan2' > option locallan '11.11.11.1' >

[strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2017-06-12 Thread Dharrshen ( N'osairis )
Hi Everyone, I'm in midst of building IPsec tunnel towards a Mikrotik router. Phase 1 IKE establishes successfully but Phase 2 CHILD_SA fails. Kindly advise me on the failing point. My strongswan config is as below : package strongswan config general 'general' option strictcrlpolicy