Hi Tilak, first a few comments on your ipsec.conf file:
>config setup > interfaces="ipsec0=eth0" The interfaces options is for the FreeS/WAN KLIPS IPsec stack and is completely obsolete > klipsdebug=all > plutodebug=all These debug options are for the IKEv1 pluto daemon and not relevant for debugging IKEv2. Rather choose plutostart=no to disable pluto. conn jay1 ... auth=ah strongSwan's IKEv2 charon daemon does not support the AH protocol [yet]. Your connection definitions are very confusing. In ipsec.conf you define >conn jay1 > left=10.1.1.42 > right=10.1.1.10 > rightsubnet=10.1.2.42/32 >conn jay2 > left=10.1.1.10 > right=10.1.1.42 > rightsubnet=10.1.2.10/32 whereas in your ANVL appplication you define: IKE_SA_INIT request: IP: Source Address = 10.1.1.20 IP: Destination Address = 10.1.1.42 IKE_SA_INIT response: IP: Source Address = 10.1.1.42 IP: Destination Address = 10.1.1.20 IKE_AUTH request: IP: Source Address = 10.1.1.20 IP: Destination Address = 10.1.1.42 IKEV2: ----- IKEV2 Traffic Selector Data ---- IKEV2: TS Type = 7 ( IPV4 Addr Range) IKEV2: IP Protocol ID = 0 IKEV2: Selector Length = 16 IKEV2: Start Port = 0 IKEV2: End Port = 65535 IKEV2: IPV4 Start Address = 10.1.1.20 IKEV2: IPV4 End Address = 10.1.1.20 IKEV2: ----- IKEV2 Traffic Selector Data ---- IKEV2: TS Type = 7 ( IPV4 Addr Range) IKEV2: IP Protocol ID = 0 IKEV2: Selector Length = 16 IKEV2: Start Port = 0 IKEV2: End Port = 65535 IKEV2: IPV4 Start Address = 10.1.1.0 IKEV2: IPV4 End Address = 10.1.1.255 Translated to an ipsec.conf file for the strongSwan peer: left=10.1.1.42 leftsubnet=10.1.1.0/24 right=101.1.20 Which does not match either jay1 or jay2. But nevertheless The request seems successful: IKE_AUTH response: IP: Source Address = 10.1.1.42 IP: Destination Address = 10.1.1.20 IKEV2: ----- IKEV2 Traffic Selector Data ---- IKEV2: TS Type = 7 ( IPV4 Addr Range) IKEV2: IP Protocol ID = 0 IKEV2: Selector Length = 16 IKEV2: Start Port = 0 IKEV2: End Port = 65535 IKEV2: IPV4 Start Address = 10.1.1.20 IKEV2: IPV4 End Address = 10.1.1.20 IKEV2: ----- IKEV2 Traffic Selector Data ---- IKEV2: TS Type = 7 ( IPV4 Addr Range) IKEV2: IP Protocol ID = 0 IKEV2: Selector Length = 16 IKEV2: Start Port = 0 IKEV2: End Port = 65535 IKEV2: IPV4 Start Address = 10.1.1.42 IKEV2: IPV4 End Address = 10.1.1.42 This translates to left=10.1.1.42 right=10.1.1.20 so that traffic selector narrowing takes place. CREATE_CHILD_SA request: IP: Source Address = 10.1.1.20 IP: Destination Address = 10.1.1.42 In this CREATE_CHILD_SA message you don't request any additional traffic selectors. Therefore don't be surprised to receive a NO_PROPOSAL_CHOSEN as a response! If you want us to help you, please provide consistent debugging information and as Daniel Mentz correctly mentioned, add a log from the strongSwan side!!! Regards Andreas Tilak Adhya wrote: > Hi Andreas, > > !.5.txt is the log file we are sending to the Strongswan. Stongswan > has the ip 10.1.1.42. > And the corresponding configuration file is also attached with this > mail. > Waiting for valuable comments. > > Thanks in advance... > Tilak > > > On Mon, 18 May 2009 11:50:29 +0530 wrote >>H Tilak, >> >>without any log and configuration information we cannot possibly >>help you. >> >>Regards >> >>Andreas >> >>Tilak Adhya wrote: >>> Hi, >>> >>> I am new to this list and using Strongswan for the last 2 months... > I >>> am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with >>> Strongswan. I have connected two Strongswan back to back but not > able >>> to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but > Strongswan >>> is not responding properly. It replies with "No Proposal CHosen"; > but >>> proposals configured in the Strongswan should match. Not getting > the >>> reason. If you need the log files I can post it. >>> Your help is highly appreciated. >>> >>> Thanks >>> Tilak >>> >>> *-- >>> tilak ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users