Hi, Is it possible to configure strongSwan for sending NOTIFY message in response of any messages? If possible what is the command ?
Thanks Tilak On Mon, 18 May 2009 15:56:36 +0530 wrote >Tilak Adhya wrote: >> >> Hi Andreas, >> >> Thanks for your help. Here is the consistent debug information. >> >> You are saying that I need to send Traffic Selectors(TS) with the >> CREATE_CHILD_SA request. But in the RFC 4306, it is clearly written >> that TS are optional in the request-response for CREATE_CHILD_SA. It's >> confusing to me. Could you please explain little bit more on this and >> why I am getting no proposal chosen from the strongSwan. >> >RFC 4306 says the following: > >Traffic selectors are omitted if this CREATE_CHILD_SA request is being >used to change the key of the IKE_SA. > >But looking at your CREATE_CHILD_SA request, you don't initiate any >rekeying (which requires a notify payload), but you just propose > >IKEV2: ---- IKEV2 Proposal Payload ---- >IKEV2: >IKEV2: Next Payload = Payload NONE >IKEV2: RESERVED = 0 >IKEV2: Payload Length = 36 bytes >IKEV2: Proposal Number = 1 >IKEV2: Protocol-Id = 3 (ESP) >IKEV2: SPI Size = 4 >IKEV2: Number of Transforms = 3 >IKEV2: --- Security Parameter Index [4 bytes] --- >IKEV2: 46 D2 13 FF F... >IKEV2: --- Security Parameter Index End --- >IKEV2: >IKEV2: ---- IKEV2 Transform Payload ---- >IKEV2: >IKEV2: Next Payload = Transform Payload >IKEV2: RESERVED = 0 >IKEV2: Payload Length = 8 bytes >IKEV2: Transform Type = 1 ( Encryption Algorithm Transform) >IKEV2: RESERVED = 0 >IKEV2: Transform-Id = 3 ( 3DES Encryption Algorithm) >IKEV2: >IKEV2: ---- End IKEV2 Transform Payload ---- >IKEV2: > >IKEV2: ---- IKEV2 Transform Payload ---- >IKEV2: >IKEV2: Next Payload = Transform Payload >IKEV2: RESERVED = 0 >IKEV2: Payload Length = 8 bytes >IKEV2: Transform Type = 3 ( Integrity Algorithm Transform) >IKEV2: RESERVED = 0 >IKEV2: Transform-Id = 2 ( HMAC_SHA1_96 integrity Algorithm) >IKEV2: >IKEV2: ---- End IKEV2 Transform Payload ---- >IKEV2: > >IKEV2: ---- IKEV2 Transform Payload ---- >IKEV2: >IKEV2: Next Payload = Payload NONE >IKEV2: RESERVED = 0 >IKEV2: Payload Length = 8 bytes >IKEV2: Transform Type = 5 ( ESN Transform) >IKEV2: RESERVED = 0 >IKEV2: Transform-Id = 0 ( No extended Sequence numbers) >IKEV2: >IKEV2: ---- End IKEV2 Transform Payload ---- >IKEV2: >IKEV2: ---- End IKEV2 Proposal Payload ---- > >which is the same ESP cipher suite as in the IKE_AUTH proposal but >without any traffic selectors. So I don't know what you want to >achieve with this CREATE_CHILD_SA request. > >Regards > >Andreas > >> Thanks >> Tilak >> >> >> On Mon, 18 May 2009 14:28:56 +0530 wrote >>>Hi Tilak, >>> >>>first a few comments on your ipsec.conf file: >>> >>>>config setup >>>> interfaces="ipsec0=eth0" >>> >>>The interfaces options is for the FreeS/WAN KLIPS >>>IPsec stack and is completely obsolete >>> >>>> klipsdebug=all >>>> plutodebug=all >>> >>>These debug options are for the IKEv1 pluto daemon >>>and not relevant for debugging IKEv2. Rather choose >>> >>> plutostart=no >>> >>>to disable pluto. >>> >>>conn jay1 >>> ... >>> auth=ah >>> >>>strongSwan's IKEv2 charon daemon does not support the AH protocol >> [yet]. >>> >>>Your connection definitions are very confusing. >>>In ipsec.conf you define >>> >>>>conn jay1 >>>> left=10.1.1.42 >>>> right=10.1.1.10 >>>> rightsubnet=10.1.2.42/32 >>> >>>>conn jay2 >>>> left=10.1.1.10 >>>> right=10.1.1.42 >>>> rightsubnet=10.1.2.10/32 >>> >>>whereas in your ANVL appplication you define: >>> >>>IKE_SA_INIT request: >>>IP: Source Address = 10.1.1.20 >>>IP: Destination Address = 10.1.1.42 >>> >>>IKE_SA_INIT response: >>>IP: Source Address = 10.1.1.42 >>>IP: Destination Address = 10.1.1.20 >>> >>>IKE_AUTH request: >>>IP: Source Address = 10.1.1.20 >>>IP: Destination Address = 10.1.1.42 >>> >>>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>>IKEV2: IP Protocol ID = 0 >>>IKEV2: Selector Length = 16 >>>IKEV2: Start Port = 0 >>>IKEV2: End Port = 65535 >>>IKEV2: IPV4 Start Address = 10.1.1.20 >>>IKEV2: IPV4 End Address = 10.1.1.20 >>> >>>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>>IKEV2: IP Protocol ID = 0 >>>IKEV2: Selector Length = 16 >>>IKEV2: Start Port = 0 >>>IKEV2: End Port = 65535 >>>IKEV2: IPV4 Start Address = 10.1.1.0 >>>IKEV2: IPV4 End Address = 10.1.1.255 >>> >>>Translated to an ipsec.conf file for the strongSwan peer: >>> >>>left=10.1.1.42 >>>leftsubnet=10.1.1.0/24 >>>right=101.1.20 >>> >>>Which does not match either jay1 or jay2. But nevertheless >>>The request seems successful: >>> >>>IKE_AUTH response: >>>IP: Source Address = 10.1.1.42 >>>IP: Destination Address = 10.1.1.20 >>> >>>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>>IKEV2: IP Protocol ID = 0 >>>IKEV2: Selector Length = 16 >>>IKEV2: Start Port = 0 >>>IKEV2: End Port = 65535 >>>IKEV2: IPV4 Start Address = 10.1.1.20 >>>IKEV2: IPV4 End Address = 10.1.1.20 >>> >>>IKEV2: ----- IKEV2 Traffic Selector Data ---- >>>IKEV2: TS Type = 7 ( IPV4 Addr Range) >>>IKEV2: IP Protocol ID = 0 >>>IKEV2: Selector Length = 16 >>>IKEV2: Start Port = 0 >>>IKEV2: End Port = 65535 >>>IKEV2: IPV4 Start Address = 10.1.1.42 >>>IKEV2: IPV4 End Address = 10.1.1.42 >>> >>>This translates to >>> >>>left=10.1.1.42 >>>right=10.1.1.20 >>> >>>so that traffic selector narrowing takes place. >>> >>>CREATE_CHILD_SA request: >>>IP: Source Address = 10.1.1.20 >>>IP: Destination Address = 10.1.1.42 >>> >>>In this CREATE_CHILD_SA message you don't request any >>>additional traffic selectors. Therefore don't be surprised >>>to receive a NO_PROPOSAL_CHOSEN as a response! >>> >>>If you want us to help you, please provide consistent debugging >>>information and as Daniel Mentz correctly mentioned, add a >>>log from the strongSwan side!!! >>> >>>Regards >>> >>>Andreas >>> >>>Tilak Adhya wrote: >>>> Hi Andreas, >>>> >>>> !.5.txt is the log file we are sending to the Strongswan. Stongswan >>>> has the ip 10.1.1.42. >>>> And the corresponding configuration file is also attached with this >>>> mail. >>>> Waiting for valuable comments. >>>> >>>> Thanks in advance... >>>> Tilak >>>> >>>> >>>> On Mon, 18 May 2009 11:50:29 +0530 wrote >>>>>H Tilak, >>>>> >>>>>without any log and configuration information we cannot possibly >>>>>help you. >>>>> >>>>>Regards >>>>> >>>>>Andreas >>>>> >>>>>Tilak Adhya wrote: >>>>>> Hi, >>>>>> >>>>>> I am new to this list and using Strongswan for the last 2 >> months... >>>> I >>>>>> am facing a problem regarding the CREATE_CHILD_SA for IKEV2 with >>>>>> Strongswan. I have connected two Strongswan back to back but not >>>> able >>>>>> to send CREATE_CHILD_SAs. Also, I sent CREATE_CHILD_SA but >>>> Strongswan >>>>>> is not responding properly. It replies with "No Proposal CHosen"; >>>> but >>>>>> proposals configured in the Strongswan should match. Not getting >>>> the >>>>>> reason. If you need the log files I can post it. >>>>>> Your help is highly appreciated. >>>>>> >>>>>> Thanks >>>>>> Tilak >>>>>> >>>>>> *-- >>>>>> tilak >>> > >===================================================================== = >Andreas Steffen andreas.stef...@strongswan.org >strongSwan - the Linux VPN Solution! www.strongswan.org >Institute for Internet Technologies and Applications >University of Applied Sciences Rapperswil >CH-8640 Rapperswil (Switzerland) >===========================================================[ITA- HSR]== > *-- tilak _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
