<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 10.00.9200.17148"></HEAD>
<BODY style="FONT: 10pt Segoe UI; MARGIN: 4px 4px 1px">
<DIV>Hi Martin,</DIV>
<DIV> </DIV>
<DIV>Thanks very much for getting back to me. I took your advice and set up individual CHILD_SAs. Everything is working well since.</DIV>
<DIV> </DIV>
<DIV>I'll try my previous configuration once strongswan5.3.0 is available and see whether that changes anything just out of interest. However, I'm very happy with the current solution.</DIV>
<DIV> </DIV>
<DIV>Thanks again for your help,</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Tormod<BR><BR>>>> Martin Willi <martin@strongswan.org> 10/03/2015 13:49 >>><BR>Hi,<BR><BR>Sorry for my previous mail, this time with some content:<BR><BR>> I have only started running into this since we started using more than<BR>> one subnet in the left side of the connection.<BR><BR>> leftsubnet=10.176.0.0/13,10.130.0.0/16<BR>> rightsubnet=192.168.0.0/16<BR><BR>> Iona-VPN-FW[1]: IKEv2 SPIs: 550d0c34bc66ce4e_i* da285a283fb7a4d1_r, rekeying in 23 hours<BR>> Iona-VPN-FW{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ccb6a085_i ad93852a_o<BR>> Iona-VPN-FW{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 360 bytes_o (9 pkts, 2965s ago), rekeying in 33 seconds<BR>> Iona-VPN-FW{1}: 10.176.0.0/13 === 192.168.0.0/16<BR>> Iona-VPN-FW{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c01ce92f_i 0a7d4641_o<BR>> Iona-VPN-FW{2}: AES_CBC_128/HMAC_SHA1_96, 2479 bytes_i (17 pkts, 3272s ago), 4873 bytes_o (15 pkts, 3272s ago), rekeying in 2 seconds<BR>> Iona-VPN-FW{2}: 10.130.0.0/16 === 192.168.0.0/16<BR><BR>Actually, what you have configured and what got negotiated doesn't<BR>really match. If you have multiple subnets in a connection, these should<BR>get negotiated in a single CHILD_SA. However, you have multiple<BR>CHILD_SAs, most likely because your peer prefers to negotiate that.<BR><BR>You may try to configure separate CHILD_SAs for your subnets. With<BR>ipsec.conf, you'll have to define separate "conn" entries with the same<BR>base settings, but different subnet configurations. charon automatically<BR>merges such configurations to negotiate them under the same IKE_SA.<BR><BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 16[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 16[NET] sending packet: from 10.180.0.12[4500] to 2.2.2.2[4500] (332 bytes)<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[NET] received packet: from 2.2.2.2[4500] to 10.180.0.12[4500] (236 bytes)<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 10.176.0.0/13 === 192.168.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 fwd (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 10.176.0.0/13 === 192.168.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[CFG] unable to install policy 192.168.0.0/16 === 10.176.0.0/13 fwd (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[IKE] unable to install IPsec policies (SPD) in kernel<BR>> Mar 4 16:58:14 ip-10-180-0-12 charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA<BR><BR>Because of this mismatch between configuration and negotiated SAs, it<BR>seems that when rekeying the selectors negotiated do not match the<BR>previous CHILD_SA, but the other one separately negotiated.<BR><BR>I think you should change your configuration to use separate CHILD_SAs,<BR>or try to negotiate all subnets under a single CHILD_SA on the Cisco<BR>side. If that doesn't work, you may try a build from git sources; we<BR>recently merged changes that avoid these policy conflicts. But most<BR>likely you'll end up with the wrong selectors after rekeying the<BR>CHILD_SA.<BR><BR>Regards<BR>Martin<BR><BR><BR>-- <BR>This message has been scanned for viruses and<BR>dangerous content by MailScanner, and is<BR>believed to be clean.<BR><BR></DIV><BR>
<div>
<div>
<div>
<font face="Arial" size="2" color="#008000">Please consider the
environment before printing this email</font><font face="Arial" size="2">
</font> </div>
</div>
</div>
<div>
<font face="Arial" size="2">
</font> </div>
<span class="f133 controlstyle" id="F133"><font face="Arial" size="2">*********************************************************************
</font></span><font face="Arial" size="2"><br><span class="f133 controlstyle" id="F133"><br>This
e-mail and any attachments are confidential. If it is not for you, please
inform us and delete it immediately without disclosing, copying, or
distributing it.<br><br>If the content is not about the business of
PayWizard Group PLC or its clients, then it is neither from nor sanctioned
by PayWizard Group PLC. Use of this or any other PayWizard Group PLC
e-mail facility signifies consent to interception by PayWizard Group PLC.
The views expressed in this email or any attachments may not reflect the
views and opinions of PayWizard Group PLC.<br><br>This message has been
scanned for viruses and dangerous content by MailScanner, but PayWizard
Group PLC accepts no liability for any damage caused by the transmission
of any viruses.<br><br>PayWizard Group PLC is a public limited company
registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.<br><br>*******************************************************************</span>*</font>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</BODY></HTML>