sorry, that should be removing 10.128.0.0/16 not /24. Also a cut and paste error on the east file into my browser email window, my remote_ts=10.64.0.0/16,10.128.0.0/16 not /64
> On January 25, 2022 at 10:07 AM VTwin Farriers <[email protected]> wrote: > > > Thank you all for your responses. > > I have the same local_ts/remote_ts values on my East and Central > swanctl.conf files. I would think this should work but for some reason I get > the TS_UNACCEPTABLE error. Removing "10.128.0.0/24" from the swanctl.conf > files on east and central will then work. > > > swanctl.conf (East) > > connections { > eastcentral { > version=2 > local_addrs=a.b.c.d > proposals=aes256-sha1-modp1024, default > local-0 { > auth = psk > } > remote-0 { > auth = psk > } > remote_addrs=w.x.y.z > children { > eastcentral { > esp_proposals=aes256-sha1, default > dpd_action=restart > remote_ts=10.64.0.0/16,10.128.0.0/64 > local_ts=10.0.0.0/16 > } > } > } > } > > > swanctl.conf (Central): > > connections { > centraleast { > version=2 > local_addrs=w.x.y.z > proposals=aes256-sha1-modp1024, default > local-0 { > auth = psk > } > remote-0 { > auth = psk > } > remote_addrs=a.b.c.d > children { > centraleast { > esp_proposals=aes256-sha1, default > dpd_action=restart > remote_ts=10.0.0.0/16 > local_ts=10.64.0.0/16,10.128.0.0/16 > } > } > } > } > > > > [root@EastRouter swanctl]# strongswan up eastcentral > initiating IKE_SA eastcentral[1] to w.x.y.z > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > sending packet: from a.b.c.d[500] to w.x.y.z[500] (1204 bytes) > received packet: from w.x.y.z[500] to a.b.c.d[500] (344 bytes) > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] > selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > remote host is behind NAT > no IDi configured, fall back on IP address > authentication of 'a.b.c.d' (myself) with pre-shared key > establishing CHILD_SA eastcentral{1} > generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > sending packet: from a.b.c.d[4500] to w.x.y.z[4500] (668 bytes) > received packet: from w.x.y.z[4500] to a.b.c.d[4500] (220 bytes) > parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ] > authentication of 'w.x.y.z' with pre-shared key successful > IKE_SA eastcentral[1] established between > a.b.c.d[a.b.c.d]...w.x.y.z[w.x.y.z] > scheduling rekeying in 13393s > maximum IKE_SA lifetime 14833s > received TS_UNACCEPTABLE notify, no CHILD_SA built > failed to establish CHILD_SA, keeping IKE_SA > peer supports MOBIKE > establishing connection 'eastcentral' failed >
