Hi Mr Brunner,
Thanks a lot for pointing out. This plugin was enabled unintentionally
since the firmware build.
My Hub and spoke is working now.
Regards,
Tanjeen
On 8/17/21 11:54 PM, Tobias Brunner wrote:
Hi,
error installing route with policy 192.168.10.0/24 ===
192.168.20.0/24 out
Hi,
error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out
Why are you using kernel-libipsec [1] on your hub?
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
Hi,
I'm using strongSwan 5.6.3 on Openwrt for x86 architecture. Here i'm
trying to achieve the hub-n-spoke setup [a network diagram has been
attached] for connecting/routing multiple subnets behind more than two
gateways.
I've tried numerous changes in ipsec.conf as suggested, but I'm stuck
On 2/16/2018 3:39 AM, Sujoy wrote:
The config file is same but then also it failed by saying "unable to
install inbound and outbound IPsec SA (SAD) in kernel failed to
establish CHILD_SA, keeping IKE_SA".
It is failing with the error "IPsec SA: unsupported mode". That means
transport
Can you send the logs from the other side? the one that generates the
TS_UNACCEPTABLE notify.
--Jafar
On 2/9/2018 12:31 AM, Sujoy wrote:
Hi Jafar/Noel,
What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE]
failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in
Hi Jafar/Noel,
What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE]
failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in the
new installed Linux also.
root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0
Thanks Jafar, for the update. But after setting up without subnet and
"type=tunnel or transport" it shows the same error "failed to establish
CHILD_SA, keeping IKE_SA. What should be issue.
Thanks
On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote:
Sujoy,
Just to make sure
Sujoy,
Just to make sure everything is working OK. Try setting:
left=192.168.10.40
right=192.168.10.38
and
left=192.168.10.38
right=192.168.10.40
Comment out left/rightsubnet configs. They should default to the same IP
addresses as left/right.
--Jafar
On 2/8/2018 2:53 AM, Tore Anderson wrote:
* Jafar Al-Gharaibeh
You can NOT have the least significant octet set to zero with a 32-bit
netmask
Sure you can. There is no fundamental difference between 192.168.10.0/32
and, say, 192.168.10.10/32. Both are equally valid, and
* Jafar Al-Gharaibeh
> You can NOT have the least significant octet set to zero with a 32-bit
> netmask
Sure you can. There is no fundamental difference between 192.168.10.0/32
and, say, 192.168.10.10/32. Both are equally valid, and both refer to a
single address/host.
Tore
Hi Jafar, Peer is also using strongswan 5.3.3. following is the
configuration. We need tunnel because once it is connected in LAN we
want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow.
Config setup
charondebug="all"
uniqueids=yes
On 2/7/2018 9:22 AM, Sujoy wrote:
Thanks Jafar, for the reply. But after removing subnet from the config
also tunneling failed. Is there any issue with the version of
strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"
"TS_UNACCEPTABLE notify" means the peer didn't
Thanks Jafar, for the reply. But after removing subnet from the config
also tunneling failed. Is there any issue with the version of strongswan
5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"
Config setup
charondebug="all"
uniqueids=yes
On 2/7/2018 9:01 AM, Jafar Al-Gharaibeh wrote:
You can have the least significant octet set to zero with a 32-bit netmask
Sorry, this should read:
You can NOT have the least significant octet set to zero with a 32-bit
netmask
Sujoy,
Are you sure about
rightsubnet=192.168.10.0/32
This subnet gets you nothing unless you know that it has a special
meaning in the config that I'm not aware of. You can have the least
significant octet set to zero with a 32-bit netmask. What is the
rightsubnet that you are trying
Hi,
Why did you remove the integrity algorithm from the proposal?
Use a a known integrity algorithm in the proposal and it will work.
Kind regards
Noel
On 19.01.2018 15:35, Sujoy wrote:
> Hi Noel and lists,
>
> I am getting the following error while trying to connect from OpwnWRT, the
> same
Hi,
Check the logs of the remote side.
It means the remote peer did not like the proposed traffic selector. It was
probably outside of the network range that its own configuration allows,
meaning narrowing failed.
Kind regards
Noel
On 16.01.2018 07:25, Sujoy wrote:
> Hi Noel,
>
> Same
Hello,
On 12.06.2017 10:10, Dharrshen ( N'osairis ) wrote:
>
> config connection
> option ikeversion '2'
> option enabled 'yes'
> option name 'VPNHUB01'
> option waniface 'wan1 wan2'
> option locallan '11.11.11.1'
>
Hi Everyone,
I'm in midst of building IPsec tunnel towards a Mikrotik router.
Phase 1 IKE establishes successfully but Phase 2 CHILD_SA fails. Kindly
advise me on the failing point.
My strongswan config is as below :
package strongswan
config general 'general'
option strictcrlpolicy
19 matches
Mail list logo