I am trying to track down a connection issue and I tracked it down to an "inacceptable" traffic selector error on a transport connection with the route=auto. What is very strange is I can bring the connection manually using the "ipsec up" command and the connection is established.
I am really stumped on this one... I am using 5.1.0 in transport mode with the following config. # basic configuration config setup strictcrlpolicy=no uniqueids = no Here are my connection defaults: # Default connection attributes for ipsec.conf # conn %default authby=secret mobike=no closeaction=none dpdaction=clear dpddelay=30s dpdtimeout=150s inactivity=30m ikelifetime=3h keyexchange=ikev2 keyingtries=3 lifetime=1h reauth=yes rekey=yes margintime=9m esp=aes256! ike=aes256-sha384-prfsha384-ecp384! forceencaps=yes type=transport auto=route Here is the connections in question: conn 4.6.3000.10-98-108-194.0 left=%any leftid=a27 leftprotoport=6/3000 rightid=a26 right=10.98.108.194 rightprotoport=6/%any I should note there are other connections in transport mode to this server on port 80 and 3306 and they are connected without issue. 013-08-30T17:22:03-0700 01[MGR] checkout IKE_SA 2013-08-30T17:22:03-0700 01[MGR] IKE_SA 4.17.0.10-98-108-199.11211[6] successfully checked out 2013-08-30T17:22:03-0700 01[KNL] querying policy 10.98.108.199/32[tcp/11211]<http://10.98.108.199/32%5Btcp/11211%5D>=== 10.98.108.195/32[tcp] <http://10.98.108.195/32%5Btcp%5D> in (mark 0/0x00000000) 2013-08-30T17:22:03-0700 01[MGR] checkin IKE_SA 4.17.0.10-98-108-199.11211[6] 2013-08-30T17:22:03-0700 01[MGR] check-in of IKE_SA successful. 2013-08-30T17:22:03-0700 09[NET] received packet: from 10.98.108.194[4500] to 10.98.108.195[4500] 2013-08-30T17:22:03-0700 09[NET] waiting for data on sockets 2013-08-30T17:22:03-0700 16[MGR] checkout IKE_SA by message 2013-08-30T17:22:03-0700 16[MGR] IKE_SA 4.6.80.10-98-108-194.0[5] successfully checked out 2013-08-30T17:22:03-0700 16[NET] received packet: from 10.98.108.194[4500] to 10.98.108.195[4500] (248 bytes) 2013-08-30T17:22:03-0700 16[ENC] parsed CREATE_CHILD_SA request 99 [ N(USE_TRANSP) SA No TSi TSr ] 2013-08-30T17:22:03-0700 16[CFG] looking for a child config for 10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> 10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> === 10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D> 10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D> 2013-08-30T17:22:03-0700 16[CFG] looking for a child config for 10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> 10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> === 10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D> 10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D> 2013-08-30T17:22:03-0700 16[IKE] traffic selectors 10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> 10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> === 10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D> 10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D> inacceptable 2013-08-30T17:22:03-0700 16[IKE] failed to establish CHILD_SA, keeping IKE_SA 2013-08-30T17:22:03-0700 16[ENC] generating CREATE_CHILD_SA response 99 [ N(TS_UNACCEPT) ] 2013-08-30T17:22:03-0700 16[NET] sending packet: from 10.98.108.195[4500] to 10.98.108.194[4500] (88 bytes) 2013-08-30T17:22:03-0700 06[NET] sending packet: from 10.98.108.195[4500] to 10.98.108.194[4500] 2013-08-30T17:22:03-0700 16[MGR] checkin IKE_SA 4.6.80.10-98-108-194.0[5] 2013-08-30T17:22:03-0700 16[MGR] check-in of IKE_SA successful. Any suggestions as to why the connection will not come up by itself? Regards, Dan Cook
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
