<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">[Apologies for accidentally hitting send on previous email…]</div><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><br class=""></div><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi all, I’m trying to resolve an issue with traffic selection and am running out of ideas on how to do so. Hopefully someone here can recognize what I am doing wrong. My two endpoints are `strongSwan 5.7.2, Linux 4.20.3-1.el7.elrepo.x86_64, x86_64` and `strongSwan 5.6.3` from OpenWRT `opkg` repositories. <div class=""><br class=""></div><div class="">In my config (below), I have worked on several iterations and have always seen the selectors presented to the opposite side specifying the /32 of the external interface to each other, never the networks that I am trying to route between. I am using `type=transport` as I need to pass OSPF traffic over the links. In an effort to cover all bases before posting here, I have mapped my configuration to that in <a href="https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario" class="">https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario</a>, also with the same results. </div><div class=""><br class=""></div><div class="">When I remove the `left/rightsubnet` configurations, the TS negotiates cleanly and passes traffic bound for to the opposite public endpoint, but then of course no xfrm policy exists between the `10.10.0.0/22` and `10.10.4.0/22` networks, which is the final goal.</div><div class=""><br class=""></div><div class="">In all cases, SA is being negotiated cleanly, so I have clipped those sections for brevity. Apologies if I have lost information and thanks for your consideration!</div><div class=""><br class=""></div><div class="">Brian</div><div class=""><br class=""></div><div class="">Common:</div><div class=""><blockquote type="cite" class=""><div class="">config setup</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>charondebug="ike 2, knl 2, cfg 2, mgr 2"</div><div class=""><br class=""></div><div class="">conn %default</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>keyingtries=3</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>authby=secret</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>type=transport</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072</div><div class=""><br class=""></div></blockquote><div class=""><br class=""></div><div class="">Dynamic:</div><blockquote type="cite" class=""><div class="">conn site-2-dynamic-ip</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>left=%defaultroute</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>leftsubnet=10.9.254.252/30,10.9.254.248/30</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>leftfirewall=no</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>right=dy.na.mi.cip</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>rightsubnet=10.10.0.0/22</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>rightid=%<a href="http://specific.example.com/" class="">specific.example.com</a></div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>auto=add</div></blockquote></div><div class=""><div class=""><br class=""></div></div><div class="">Static:</div><div class=""><blockquote type="cite" class=""><div class="">conn site-1-static-ip</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>left=<a href="http://st.at/" class="">st.at</a>.ic.ip</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>leftsubnet=10.9.254.252/30,10.9.254.248/30</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>leftid=%<a href="http://specific.example.com/" class="">specific.example.com</a></div></blockquote><blockquote type="cite" class=""><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>leftfirewall=no</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>right=%any</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>rightsubnet=10.10.4.0/22</div><div class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>auto=add</div></blockquote></div><div class=""><div class=""><br class=""></div></div><div class="">Dynamic side logs:</div><div class=""><blockquote type="cite" class="">05[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]</blockquote><blockquote type="cite" class=""><div class="">05[NET] sending packet: from dy.na.mi.cip[4500] to st.at.ic.ip[4500] (445 bytes)</div><div class="">05[MGR] checkin IKE_SA site-2-dynamic-ip[10]</div><div class="">05[MGR] checkin of IKE_SA successful</div><div class="">received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)</div><div class="">13[MGR] checkout IKEv2 SA by message with SPIs 666aa985fa6a1f6b_i 354556de7cfce172_r</div><div class="">13[MGR] IKE_SA site-2-dynamic-ip[10] successfully checked out</div><div class="">13[NET] received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)</div><div class="">parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]</div><div class="">13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]</div><div class="">13[IKE] authentication of '<a href="http://specific.example.com/" class="">specific.example.com</a>' with pre-shared key successful</div><div class="">13[IKE] IKE_SA site-2-dynamic-ip[10] established between dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[<a href="http://specific.example.com/" class="">specific.example.com</a>]</div><div class="">: 13[IKE] IKE_SA site-2-dynamic-ip[10] established between dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[<a href="http://specific.example.com/" class="">specific.example.com</a>]</div><div class="">13[IKE] IKE_SA site-2-dynamic-ip[10] state change: CONNECTING => ESTABLISHED</div><div class="">13[IKE] scheduling reauthentication in 9950s</div><div class="">13[IKE] maximum IKE_SA lifetime 10490s</div><div class="">13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built</div><div class="">13[IKE] failed to establish CHILD_SA, keeping IKE_SA</div><div class="">13[KNL] deleting SAD entry with SPI cee22084</div><div class="">13[KNL] deleted SAD entry with SPI cee22084</div><div class="">13[IKE] received AUTH_LIFETIME of 9756s, scheduling reauthentication in 9216s</div><div class="">13[IKE] peer supports MOBIKE</div><div class="">13[IKE] got additional MOBIKE peer address: 10.10.0.41</div><div class="">13[IKE] got additional MOBIKE peer address: 172.17.0.1</div><div class="">13[IKE] got additional MOBIKE peer address: fc00::10ca:1</div><div class="">13[IKE] activating new tasks</div><div class="">13[IKE] nothing to initiate</div><div class="">13[MGR] checkin IKE_SA site-2-dynamic-ip[10]</div></blockquote><br class=""></div><div class="">Static side logs:</div><div class=""><blockquote type="cite" class=""><div class="">07[NET] received packet: from 71.211.224.100[4500] to 173.248.143.113[4500] (445 bytes)</div><div class="">07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]</div></blockquote><blockquote type="cite" class=""><div class="">07[CFG] looking for a child config for st.at.ic.ip/32 === dy.na.mi.cip/32</div><div class="">07[CFG] proposing traffic selectors for us:</div><div class="">07[CFG] st.at.ic.ip/32</div><div class="">07[CFG] st.at.ic.ip/32</div><div class="">07[CFG] proposing traffic selectors for other:</div><div class="">07[CFG] dy.na.mi.cip/32</div><div class="">07[CFG] candidate "site-1-static-ip" with prio 5+5</div><div class="">07[CFG] found matching child config "site-1-static-ip" with prio 10</div><div class="">07[CFG] selecting proposal:</div><div class="">07[CFG] proposal matches</div><div class="">07[CFG] received proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ</div><div class="">07[CFG] configured proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HM</div><div class="">HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ</div><div class="">07[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ</div><div class="">07[KNL] got SPI cd351083</div><div class="">07[CFG] selecting traffic selectors for us:</div><div class="">07[CFG] config: 10.9.254.252/30, received: st.at.ic.ip/32 => no match</div><div class="">07[CFG] config: 10.9.254.248/30, received: st.at.ic.ip/32 => no match</div><div class="">07[CFG] selecting traffic selectors for other:</div><div class="">07[CFG] config: 10.10.4.0/22, received: dy.na.mi.cip/32 => no match</div><div class="">07[IKE] no acceptable traffic selectors found</div><div class="">07[IKE] failed to establish CHILD_SA, keeping IKE_SA</div><div class="">07[KNL] deleting SAD entry with SPI cd351083</div><div class="">07[KNL] deleted SAD entry with SPI cd351083</div><div class="">07[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]</div><div class="">07[NET] sending packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)</div><div class="">07[MGR] checkin IKE_SA site-1-static-ip[1]</div><div class="">07[MGR] checkin of IKE_SA successful</div><div class="">07[MGR] checkout IKEv2 SA with SPIs 666aa985fa6a1f6b_i 354556de7cfce172_r</div><div class="">07[MGR] IKE_SA site-1-static-ip[1] successfully checked out</div><div class="">07[MGR] checkin IKE_SA site-1-static-ip[1]</div><div class="">07[MGR] checkin of IKE_SA successful</div></blockquote></div><div class=""><div class=""><br class=""></div></div><div class=""></div></div></body></html>