On 25.01.22 03:13, VTwin Farriers wrote:
If I try to add 10.128.0.0/16 to the configuration for East <=> Central, I get:
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
when I attempt to bring up the connection.
This seems to be related to the fact there is no interface or route on Central which
is on the 10.128.0.0 subnet, 10.128.0.0/16 traffic is passed to West via the
West<=>Central ipsec link.
swanctl.conf:
connections {
EastCentral {
version=2
local_addrs=a.b.c.d
proposals=aes256-sha1-modp1024, default
local-0 {
auth = psk
}
remote-0 {
auth = psk
}
remote_addrs=w.x.y.z
children {
EastCentral {
esp_proposals=aes256-sha1, default
dpd_action=restart
local_ts=10.0.0.0/16
remote_ts=10.64.0.0/16,10.128.0.0/16
}
}
}
}
secrets {
ike-w.x.y.za.b.c.d {
secret = "SantizedForYourProtection"
id-1=w.x.y.z
id-0=a.b.c.d
}
}
do you have the 10.128.0.0/16 configured on the central gateway as a
local_ts for the connection to east?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
