<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<p>sorry, that should be removing 10.128.0.0/16 not /24.</p>
<p>Also a cut and paste error on the east file into my browser email window, my remote_ts=10.64.0.0/16,10.128.0.0/16 not /64</p>
<blockquote type="cite">
On January 25, 2022 at 10:07 AM VTwin Farriers <vtwin@cox.net> wrote:
<br>
<br>
<p class="ox-7b320e8d13-default-style">Thank you all for your responses.</p>
<p class="ox-7b320e8d13-default-style">I have the same local_ts/remote_ts values on my East and Central swanctl.conf files. I would think this should work but for some reason I get the TS_UNACCEPTABLE error. Removing "10.128.0.0/24" from the swanctl.conf files on east and central will then work.</p>
<p class="ox-7b320e8d13-default-style"><br></p>
<p class="ox-7b320e8d13-default-style">swanctl.conf (East)</p>
<p class="ox-7b320e8d13-default-style">connections {<br> eastcentral {<br> version=2<br> local_addrs=a.b.c.d<br> proposals=aes256-sha1-modp1024, default<br> local-0 {<br> auth = psk<br> }<br> remote-0 {<br> auth = psk<br> }<br> remote_addrs=w.x.y.z<br> children {<br> eastcentral {<br> esp_proposals=aes256-sha1, default<br> dpd_action=restart<br> remote_ts=10.64.0.0/16,10.128.0.0/64<br> local_ts=10.0.0.0/16<br> }<br> }<br> }<br>}</p>
<p class="ox-7b320e8d13-default-style"><br>swanctl.conf (Central):</p>
<p class="ox-7b320e8d13-default-style">connections {<br> centraleast {<br> version=2<br> local_addrs=w.x.y.z<br> proposals=aes256-sha1-modp1024, default<br> local-0 {<br> auth = psk<br> }<br> remote-0 {<br> auth = psk<br> }<br> remote_addrs=a.b.c.d<br> children {<br> centraleast {<br> esp_proposals=aes256-sha1, default<br> dpd_action=restart<br> remote_ts=10.0.0.0/16<br> local_ts=10.64.0.0/16,10.128.0.0/16<br> }<br> }<br> }<br>}</p>
<p class="ox-7b320e8d13-default-style"><br></p>
<p class="ox-7b320e8d13-default-style"><br>[root@EastRouter swanctl]# strongswan up eastcentral<br>initiating IKE_SA eastcentral[1] to w.x.y.z<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>sending packet: from a.b.c.d[500] to w.x.y.z[500] (1204 bytes)<br>received packet: from w.x.y.z[500] to a.b.c.d[500] (344 bytes)<br>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]<br>selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>remote host is behind NAT<br>no IDi configured, fall back on IP address<br>authentication of 'a.b.c.d' (myself) with pre-shared key<br>establishing CHILD_SA eastcentral{1}<br>generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]<br>sending packet: from a.b.c.d[4500] to w.x.y.z[4500] (668 bytes)<br>received packet: from w.x.y.z[4500] to a.b.c.d[4500] (220 bytes)<br>parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]<br>authentication of 'w.x.y.z' with pre-shared key successful<br>IKE_SA eastcentral[1] established between a.b.c.d[a.b.c.d]...w.x.y.z[w.x.y.z]<br>scheduling rekeying in 13393s<br>maximum IKE_SA lifetime 14833s<br>received TS_UNACCEPTABLE notify, no CHILD_SA built<br>failed to establish CHILD_SA, keeping IKE_SA<br>peer supports MOBIKE<br>establishing connection 'eastcentral' failed</p>
</blockquote>
<p class="default-style"><br> </p>
</body>
</html>