https://lists.strongswan.org/pipermail/users/2018-January/012131.html
On 30.01.2018 11:09, Sujoy wrote: > Hi Noel/Team, > > Need help to resolve the following issue in Tunneling. The connection is > established but tunneling failed. > > > root@Device_BD2009:~# ipsec statusall > no files found matching '/etc/strongswan.d/*.conf' > Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): > uptime: 5 hours, since Jan 30 12:40:15 2018 > malloc: sbrk 184320, mmap 0, used 161168, free 23152 > worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, > scheduled: 4 > loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem > openssl fips-prf gmp xcbc cmac hmac curl attr kernel-libipsec kernel-netlink > resolve socket-default stroke updown eap-identity eap-md5 xauth-generic > Listening IP addresses: > 192.168.20.100 > 192.168.10.1 > fde6:8bab:cfa4::1 > Connections: > tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s > tunnel: local: uses pre-shared key authentication > tunnel: remote: [192.168.10.38] uses pre-shared key authentication > tunnel: child: dynamic === 192.168.10.0/24 TUNNEL, dpdaction=restart > Security Associations (1 up, 0 connecting): > tunnel[3]: ESTABLISHED 48 seconds ago, > 192.168.10.1[192.168.10.1]...192.168.10.38[192.168.10.38] > tunnel[3]: IKEv2 SPIs: 60459905871e3dee_i* 36a77bd6f87a1841_r, > pre-shared key reauthentication in 38 minutes > tunnel[3]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > root@Device_BD2009:~# > > root@Device_BD2009:~# ipsec up tunnel > no files found matching '/etc/strongswan.d/*.conf' > establishing CHILD_SA tunnel > generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ] > sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (188 bytes) > received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (188 bytes) > parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ] > failed to create ESP context: unsupported integrity algorithm UNDEFINED > failed to create SAD entry > failed to create ESP context: unsupported integrity algorithm UNDEFINED > failed to create SAD entry > unable to install inbound and outbound IPsec SA (SAD) in kernel > failed to establish CHILD_SA, keeping IKE_SA > sending DELETE for ESP CHILD_SA with SPI c9c86396 > generating INFORMATIONAL request 4 [ D ] > sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (76 bytes) > received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (76 bytes) > parsed INFORMATIONAL response 4 [ D ] > establishing connection 'tunnel' failed > root@Device_BD2009:~# > > > Thanks & Regards > Sujoy > > On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote: >> Hi, >> >> Check the logs of the remote side. >> It means the remote peer did not like the proposed traffic selector. It was >> probably outside of the network range that its own configuration allows, >> meaning narrowing failed. >> >> Kind regards >> >> Noel >> >> >> On 16.01.2018 07:25, Sujoy wrote: >>> Hi Noel, >>> >>> Same strongswan 5.3.3 configuration working in my VM(client) to desktop >>> server. But not working from my OpenWRT to Global IP used nated Linux >>> server. Can you help me to solve this. >>> >>> what means "received TS_UNACCEPTABLE notify, no CHILD_SA built" >>> >>> Server config file. >>> >>> >>> >>> >>> Thanks & Regards >>> >>> Sujoy >>> >>> On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote: >>>> Hi, >>>> >>>> Only on the responder. >>>> If you use dpd and enforce UDP encapsulation, you do not need to open any >>>> ports on the initiator side. >>>> Refer to the UsableExamples wiki page[1] for example configurations that >>>> are usable in the real world. >>>> >>>> Kind regards >>>> >>>> Noel >>>> >>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples >>>> >>>> On 28.12.2017 08:51, Sujoy wrote: >>>>> Hi All, >>>>> >>>>> >>>>> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will >>>>> be running in CentOS and the OpenWRt router will connect to it using VPN. >>>>> I have configured the server part, struggling to configure the client >>>>> part. Do we need to open port 4500 for this first. >>>>> >>>>> Anyone can suggest any solution for this. >
signature.asc
Description: OpenPGP digital signature