Hi Tilak, first a few comments on your ipsec.conf file:
>config setup
> interfaces="ipsec0=eth0"
The interfaces options is for the FreeS/WAN KLIPS
IPsec stack and is completely obsolete
> klipsdebug=all
> plutodebug=all
These debug options are for the IKEv1 pluto daemon
and not relevant for debugging IKEv2. Rather choose
plutostart=no
to disable pluto.
conn jay1
...
auth=ah
strongSwan's IKEv2 charon daemon does not support the AH protocol [yet].
Your connection definitions are very confusing.
In ipsec.conf you define
>conn jay1
> left=10.1.1.42
> right=10.1.1.10
> rightsubnet=10.1.2.42/32
>conn jay2
> left=10.1.1.10
> right=10.1.1.42
> rightsubnet=10.1.2.10/32
whereas in your ANVL appplication you define:
IKE_SA_INIT request:
IP: Source Address = 10.1.1.20
IP: Destination Address = 10.1.1.42
IKE_SA_INIT response:
IP: Source Address = 10.1.1.42
IP: Destination Address = 10.1.1.20
IKE_AUTH request:
IP: Source Address = 10.1.1.20
IP: Destination Address = 10.1.1.42
IKEV2: ----- IKEV2 Traffic Selector Data ----
IKEV2: TS Type = 7 ( IPV4 Addr Range)
IKEV2: IP Protocol ID = 0
IKEV2: Selector Length = 16
IKEV2: Start Port = 0
IKEV2: End Port = 65535
IKEV2: IPV4 Start Address = 10.1.1.20
IKEV2: IPV4 End Address = 10.1.1.20
IKEV2: ----- IKEV2 Traffic Selector Data ----
IKEV2: TS Type = 7 ( IPV4 Addr Range)
IKEV2: IP Protocol ID = 0
IKEV2: Selector Length = 16
IKEV2: Start Port = 0
IKEV2: End Port = 65535
IKEV2: IPV4 Start Address = 10.1.1.0
IKEV2: IPV4 End Address = 10.1.1.255
Translated to an ipsec.conf file for the strongSwan peer:
left=10.1.1.42
leftsubnet=10.1.1.0/24
right=101.1.20
Which does not match either jay1 or jay2. But nevertheless
The request seems successful:
IKE_AUTH response:
IP: Source Address = 10.1.1.42
IP: Destination Address = 10.1.1.20
IKEV2: ----- IKEV2 Traffic Selector Data ----
IKEV2: TS Type = 7 ( IPV4 Addr Range)
IKEV2: IP Protocol ID = 0
IKEV2: Selector Length = 16
IKEV2: Start Port = 0
IKEV2: End Port = 65535
IKEV2: IPV4 Start Address = 10.1.1.20
IKEV2: IPV4 End Address = 10.1.1.20
IKEV2: ----- IKEV2 Traffic Selector Data ----
IKEV2: TS Type = 7 ( IPV4 Addr Range)
IKEV2: IP Protocol ID = 0
IKEV2: Selector Length = 16
IKEV2: Start Port = 0
IKEV2: End Port = 65535
IKEV2: IPV4 Start Address = 10.1.1.42
IKEV2: IPV4 End Address = 10.1.1.42
This translates to
left=10.1.1.42
right=10.1.1.20
so that traffic selector narrowing takes place.
CREATE_CHILD_SA request:
IP: Source Address = 10.1.1.20
IP: Destination Address = 10.1.1.42
In this CREATE_CHILD_SA message you don't request any
additional traffic selectors. Therefore don't be surprised
to receive a NO_PROPOSAL_CHOSEN as a response!
If you want us to help you, please provide consistent debugging
information and as Daniel Mentz correctly mentioned, add a
log from the strongSwan side!!!
Regards
Andreas
Tilak Adhya wrote:
> Hi Andreas,
>
> !.5.txt is the log file we are sending to the Strongswan. Stongswan
> has the ip 10.1.1.42.
> And the corresponding configuration file is also attached with this
> mail.
> Waiting for valuable comments.
>
> Thanks in advance...
> Tilak
>
>
> On Mon, 18 May 2009 11:50:29 +0530 wrote
>>H Tilak,
>>
>>without any log and configuration information we cannot possibly
>>help you.
>>
>>Regards
>>
>>Andreas
>>
>>Tilak Adhya wrote:
>>> Hi,
>>>
>>> I am new to this list and using Strongswan for the last 2 months...
> I
>>> am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with
>>> Strongswan. I have connected two Strongswan back to back but not
> able
>>> to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but
> Strongswan
>>> is not responding properly. It replies with "No Proposal CHosen";
> but
>>> proposals configured in the Strongswan should match. Not getting
> the
>>> reason. If you need the log files I can post it.
>>> Your help is highly appreciated.
>>>
>>> Thanks
>>> Tilak
>>>
>>> *--
>>> tilak
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
