hi , in the following particular scenario PC 1 (Initiator) ike=aes128-sha256-modp2048 esp=aes128-sha256-modp2048 leftsourceip=%cfg rightsubnet=0.0.0.0/0 left=50.50.50.2 right=10.10.10.2
PC2 (Responder) ike=aes128-sha256-modp2048 esp=aes128-sha1-modp2048 rightsourceip=10.3.4.10/24 leftsubnet=102.2.3.10/32,102.2.3.11/32,102.2.3.12/32 left=10.10.10.2 right=50.50.50.2 when i triggered an SA ,only IKE SA established ,which is correct as Phase 2 proposal mismatch occured. but when i corrected the esp proposal on PC2 ran ipsec update on PC2,and again triggered SA from PC1 ,as IKE was not destroyed ,so CREATE_CHILD was seen,but TS mismatch occured.which is unexpected. LOGS AT INITIATIATOR selecting Traffic selector for us 0.0.0.0/0 selecting Traffic selector for other 0.0.0.0/0.... parsed Create_child () TS_MISMATCH... Now at PC 1 i changed leftsourceip=%cfg,%cfg ,and ran update,so that IKE sa is still intact,and triggered SA again,This time it formed with 10.3.4.11/32,10.3.4.12/32====102.2.3.10/32,102.2.3.11/32,102.2.3.12/32 Please if anyone can explain this behaviour,i think the config payload should have been responded and virtual ip should have been allocated the very first time. -- Regards Mohit _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
