Tilak Adhya wrote: > > Hi Andreas, > > Thanks for your help. Here is the consistent debug information. > > You are saying that I need to send Traffic Selectors(TS) with the > CREATE_CHILD_SA request. But in the RFC 4306, it is clearly written > that TS are optional in the request-response for CREATE_CHILD_SA. It's > confusing to me. Could you please explain little bit more on this and > why I am getting no proposal chosen from the strongSwan. > RFC 4306 says the following:
Traffic selectors are omitted if this CREATE_CHILD_SA request is being used to change the key of the IKE_SA. But looking at your CREATE_CHILD_SA request, you don't initiate any rekeying (which requires a notify payload), but you just propose IKEV2: ---- IKEV2 Proposal Payload ---- IKEV2: IKEV2: Next Payload = Payload NONE IKEV2: RESERVED = 0 IKEV2: Payload Length = 36 bytes IKEV2: Proposal Number = 1 IKEV2: Protocol-Id = 3 (ESP) IKEV2: SPI Size = 4 IKEV2: Number of Transforms = 3 IKEV2: --- Security Parameter Index [4 bytes] --- IKEV2: 46 D2 13 FF F... IKEV2: --- Security Parameter Index End --- IKEV2: IKEV2: ---- IKEV2 Transform Payload ---- IKEV2: IKEV2: Next Payload = Transform Payload IKEV2: RESERVED = 0 IKEV2: Payload Length = 8 bytes IKEV2: Transform Type = 1 ( Encryption Algorithm Transform) IKEV2: RESERVED = 0 IKEV2: Transform-Id = 3 ( 3DES Encryption Algorithm) IKEV2: IKEV2: ---- End IKEV2 Transform Payload ---- IKEV2: IKEV2: ---- IKEV2 Transform Payload ---- IKEV2: IKEV2: Next Payload = Transform Payload IKEV2: RESERVED = 0 IKEV2: Payload Length = 8 bytes IKEV2: Transform Type = 3 ( Integrity Algorithm Transform) IKEV2: RESERVED = 0 IKEV2: Transform-Id = 2 ( HMAC_SHA1_96 integrity Algorithm) IKEV2: IKEV2: ---- End IKEV2 Transform Payload ---- IKEV2: IKEV2: ---- IKEV2 Transform Payload ---- IKEV2: IKEV2: Next Payload = Payload NONE IKEV2: RESERVED = 0 IKEV2: Payload Length = 8 bytes IKEV2: Transform Type = 5 ( ESN Transform) IKEV2: RESERVED = 0 IKEV2: Transform-Id = 0 ( No extended Sequence numbers) IKEV2: IKEV2: ---- End IKEV2 Transform Payload ---- IKEV2: IKEV2: ---- End IKEV2 Proposal Payload ---- which is the same ESP cipher suite as in the IKE_AUTH proposal but without any traffic selectors. So I don't know what you want to achieve with this CREATE_CHILD_SA request. Regards Andreas > Thanks > Tilak > > > On Mon, 18 May 2009 14:28:56 +0530 wrote >>Hi Tilak, >> >>first a few comments on your ipsec.conf file: >> >>>config setup >>> interfaces="ipsec0=eth0" >> >>The interfaces options is for the FreeS/WAN KLIPS >>IPsec stack and is completely obsolete >> >>> klipsdebug=all >>> plutodebug=all >> >>These debug options are for the IKEv1 pluto daemon >>and not relevant for debugging IKEv2. Rather choose >> >> plutostart=no >> >>to disable pluto. >> >>conn jay1 >> ... >> auth=ah >> >>strongSwan's IKEv2 charon daemon does not support the AH protocol > [yet]. >> >>Your connection definitions are very confusing. >>In ipsec.conf you define >> >>>conn jay1 >>> left=10.1.1.42 >>> right=10.1.1.10 >>> rightsubnet=10.1.2.42/32 >> >>>conn jay2 >>> left=10.1.1.10 >>> right=10.1.1.42 >>> rightsubnet=10.1.2.10/32 >> >>whereas in your ANVL appplication you define: >> >>IKE_SA_INIT request: >>IP: Source Address = 10.1.1.20 >>IP: Destination Address = 10.1.1.42 >> >>IKE_SA_INIT response: >>IP: Source Address = 10.1.1.42 >>IP: Destination Address = 10.1.1.20 >> >>IKE_AUTH request: >>IP: Source Address = 10.1.1.20 >>IP: Destination Address = 10.1.1.42 >> >>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>IKEV2: IP Protocol ID = 0 >>IKEV2: Selector Length = 16 >>IKEV2: Start Port = 0 >>IKEV2: End Port = 65535 >>IKEV2: IPV4 Start Address = 10.1.1.20 >>IKEV2: IPV4 End Address = 10.1.1.20 >> >>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>IKEV2: IP Protocol ID = 0 >>IKEV2: Selector Length = 16 >>IKEV2: Start Port = 0 >>IKEV2: End Port = 65535 >>IKEV2: IPV4 Start Address = 10.1.1.0 >>IKEV2: IPV4 End Address = 10.1.1.255 >> >>Translated to an ipsec.conf file for the strongSwan peer: >> >>left=10.1.1.42 >>leftsubnet=10.1.1.0/24 >>right=101.1.20 >> >>Which does not match either jay1 or jay2. But nevertheless >>The request seems successful: >> >>IKE_AUTH response: >>IP: Source Address = 10.1.1.42 >>IP: Destination Address = 10.1.1.20 >> >>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>IKEV2: IP Protocol ID = 0 >>IKEV2: Selector Length = 16 >>IKEV2: Start Port = 0 >>IKEV2: End Port = 65535 >>IKEV2: IPV4 Start Address = 10.1.1.20 >>IKEV2: IPV4 End Address = 10.1.1.20 >> >>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>IKEV2: IP Protocol ID = 0 >>IKEV2: Selector Length = 16 >>IKEV2: Start Port = 0 >>IKEV2: End Port = 65535 >>IKEV2: IPV4 Start Address = 10.1.1.42 >>IKEV2: IPV4 End Address = 10.1.1.42 >> >>This translates to >> >>left=10.1.1.42 >>right=10.1.1.20 >> >>so that traffic selector narrowing takes place. >> >>CREATE_CHILD_SA request: >>IP: Source Address = 10.1.1.20 >>IP: Destination Address = 10.1.1.42 >> >>In this CREATE_CHILD_SA message you don't request any >>additional traffic selectors. Therefore don't be surprised >>to receive a NO_PROPOSAL_CHOSEN as a response! >> >>If you want us to help you, please provide consistent debugging >>information and as Daniel Mentz correctly mentioned, add a >>log from the strongSwan side!!! >> >>Regards >> >>Andreas >> >>Tilak Adhya wrote: >>> Hi Andreas, >>> >>> !.5.txt is the log file we are sending to the Strongswan. Stongswan >>> has the ip 10.1.1.42. >>> And the corresponding configuration file is also attached with this >>> mail. >>> Waiting for valuable comments. >>> >>> Thanks in advance... >>> Tilak >>> >>> >>> On Mon, 18 May 2009 11:50:29 +0530 wrote >>>>H Tilak, >>>> >>>>without any log and configuration information we cannot possibly >>>>help you. >>>> >>>>Regards >>>> >>>>Andreas >>>> >>>>Tilak Adhya wrote: >>>>> Hi, >>>>> >>>>> I am new to this list and using Strongswan for the last 2 > months... >>> I >>>>> am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with >>>>> Strongswan. I have connected two Strongswan back to back but not >>> able >>>>> to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but >>> Strongswan >>>>> is not responding properly. It replies with "No Proposal CHosen"; >>> but >>>>> proposals configured in the Strongswan should match. Not getting >>> the >>>>> reason. If you need the log files I can post it. >>>>> Your help is highly appreciated. >>>>> >>>>> Thanks >>>>> Tilak >>>>> >>>>> *-- >>>>> tilak >> ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users