Hi Michael, I think remote end wants Transport mode "N(USE_TRANSP)", and local says it is not supported. I suppose you are using Linux in local with "kernel-netlink" module for strongswan (default), so I would check if module transport is enabled in your kernel. Refer to this doc: https://docs.strongswan.org/docs/5.9/install/kernelModules.html
"IP: IPsec transport mode [CONFIG_INET_XFRM_MODE_TRANSPORT]" usually can be checked with command in doc: grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r` Also, if it is compiled as module (m), try to load it manually, I think module name is "xfrm4_mode_transport". If it is not Linux, you must check your local OS (or strongswan module, if not using kernel-netlink) to properly support Transport mode. Regards, Carlos Velasco Michael Schwartzkopff escribió el 01/10/2022 a las 15:48:
Hi, I googled but I did not find a reasonable answer. We try to set up some specific strongswan-strongswan connection in transport mode. The log says: NET received packet: from x.x.x.x[4500] to y.y.y.y[4500] (240 bytes)} ENC parsed CREATE_CHILD_SA request 7 [ N(USE_TRANSP) SA No KE TSi TSr ]} CFG selected proposal: ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ} ESP IPsec SA: unsupported mode} ESP failed to create SAD entry} ESP IPsec SA: unsupported mode} ESP failed to create SAD entry} IKE unable to install inbound and outbound IPsec SA (SAD) in kernel} IKE failed to establish CHILD_SA, keeping IKE_SA} ENC generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]} What exactly does "IPsec SA: unsupported mode" mean? unsupported mode "transport"? Or unsupported cipher algorithms? Or anything else went wrong? Mit freundlichen Grüßen,
