<div dir="ltr"><div dir="ltr">Hello VTwin<div><br></div><div>This is a classic Hub-n-Spoke VPN Topology, where </div><div>- Central-Gw is the Hub-Ipsec-PeerGw, and</div><div>- East and West Gws are the Spoke-Gw peers</div><div>- And you need the local-subnets behind each spoke to communicate not only to subnets behind Central-Gw, BUT also require that the the spoke-to-spoke ipsec traffic be routed via the Central-HubGw</div><div><br></div><div>So request you to kindly please try out the attached 2 sample configs for your deployment. </div><div>Personally i prefer the Sample2 configs</div><div> </div><div>Hope this info helps</div><div><br></div><div>regards</div><div>Rajiv</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 25, 2022 at 1:09 PM Michael Schwartzkopff <<a href="mailto:ms@sys4.de">ms@sys4.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 25.01.22 03:13, VTwin Farriers wrote:<br>
> If I try to add <a href="http://10.128.0.0/16" rel="noreferrer" target="_blank">10.128.0.0/16</a> to the configuration for East <=> Central, I get:<br>
><br>
> received TS_UNACCEPTABLE notify, no CHILD_SA built<br>
> failed to establish CHILD_SA, keeping IKE_SA<br>
><br>
> when I attempt to bring up the connection.<br>
><br>
> This seems to be related to the fact there is no interface or route on Central which is on the 10.128.0.0 subnet, <a href="http://10.128.0.0/16" rel="noreferrer" target="_blank">10.128.0.0/16</a> traffic is passed to West via the West<=>Central ipsec link.<br>
><br>
> swanctl.conf:<br>
><br>
> connections {<br>
> EastCentral {<br>
> version=2<br>
> local_addrs=a.b.c.d<br>
> proposals=aes256-sha1-modp1024, default<br>
> local-0 {<br>
> auth = psk<br>
> }<br>
> remote-0 {<br>
> auth = psk<br>
> }<br>
> remote_addrs=w.x.y.z<br>
> children {<br>
> EastCentral {<br>
> esp_proposals=aes256-sha1, default<br>
> dpd_action=restart<br>
> local_ts=<a href="http://10.0.0.0/16" rel="noreferrer" target="_blank">10.0.0.0/16</a><br>
> remote_ts=<a href="http://10.64.0.0/16,10.128.0.0/16" rel="noreferrer" target="_blank">10.64.0.0/16,10.128.0.0/16</a><br>
><br>
> }<br>
> }<br>
> }<br>
> }<br>
> secrets {<br>
> ike-w.x.y.za.b.c.d {<br>
> secret = "SantizedForYourProtection"<br>
> id-1=w.x.y.z<br>
> id-0=a.b.c.d<br>
> }<br>
> }<br>
<br>
<br>
do you have the <a href="http://10.128.0.0/16" rel="noreferrer" target="_blank">10.128.0.0/16</a> configured on the central gateway as a <br>
local_ts for the connection to east?<br>
<br>
<br>
Mit freundlichen Grüßen,<br>
<br>
-- <br>
<br>
[*] sys4 AG<br>
<br>
<a href="https://sys4.de" rel="noreferrer" target="_blank">https://sys4.de</a>, +49 (89) 30 90 46 64<br>
Schleißheimer Straße 26/MG,80333 München<br>
<br>
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263<br>
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief<br>
Aufsichtsratsvorsitzender: Florian Kirstein<br>
<br>
</blockquote></div></div>