<html>
<head></head>
<body>Hi Manfred,<br>Quick fix would be to put the private IP of carol as their local_ts (remote_ts on moon then of course).<br><br>Kind regards<br>Noel<br><br><div class="gmail_quote">Am 7. Juli 2022 13:31:51 UTC schrieb Michael Schwartzkopff <ms@sys4.de>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="font-family:sans-serif"> <span dir="ltr" style="margin-top:0; margin-bottom:0;">Thanks. Do you have a Quick hint for me to fix the config?</span>
<br>
</div>
<div>
<br>
<div>
<p>07.07.2022 15:19:54 noel.kuntze+strongswan-users-ml@thermi.consulting:</p>
</div>
<blockquote style="margin:0;border-left:3px solid #ccc; padding-left:10px">
Hi,
<br>
<br>Then of course because they're each behind NAT the one TS being dynamic, they will propose different, non intersecting ones for that one.
<br>
<br>Kind regards
<br>Noel
<br>
<br>
<div class="gmail_quote">
Am 7. Juli 2022 13:15:40 UTC schrieb Michael Schwartzkopff <ms@sys4.de>:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex">
<pre dir="auto" class="k9mail">On 07.07.22 15:07, noel.kuntze+strongswan-users-ml@thermi.consulting wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex">
Hi Manfred,
<br>
<br>If the peer is strongswqn: Initiate with --child x, not --ike x
<br>
<br>Otherwise: client problem, it sends no TSi or TSr.
<br>
<br>Kind regards
<br>Noel
<br>
</blockquote><br><br>Perhaps interesting to add: Both, carol and moon are behind NAT. moon is on AWS.<br><br><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex">
Am 7. Juli 2022 12:49:06 UTC schrieb Michael Schwartzkopff <ms@sys4.de>:
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex">
Hi,
<br>
<br>I set up a RW connection according to
<br><a href="https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case">https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case</a> and
<br>
<br><a href="https://www.strongswan.org/testing/testresults/ikev2/rw-cert/">https://www.strongswan.org/testing/testresults/ikev2/rw-cert/</a>
<br>
<br>swanctl -L shows:
<br>root@moon:~# swanctl -L
<br>rw: IKEv1/2, no reauthentication, rekeying every 14400s
<br> local: %any
<br> remote: %any
<br> local public key authentication:
<br> id: moon.example.org
<br> certs: C=TEST, O=TEST, CN=moon.example.org
<br> remote public key authentication:
<br> rw: TUNNEL, rekeying every 3600s
<br> local: 172.31.11.0/24
<br> remote: dynamic
<br>
<br>root@misch:~# swanctl -L
<br>home: IKEv1/2, no reauthentication, rekeying every 14400s
<br> local: %any
<br> remote: xx.xx.xx.xx
<br> local public key authentication:
<br> id: carol.example.org
<br> certs: C=TEST, O=TEST, CN=carol.example.org
<br> remote public key authentication:
<br> id: moon.example.org
<br> home: TUNNEL, rekeying every 3600s
<br> local: dynamic
<br> remote: 172.31.11.0/24
<br>
<br>The tunnel comes up and an IKE SA is negotiated. But no ipsec SA is formed. Any idea?
<br>
<br>root@moon:~# swanctl --log
<br>16[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (80 bytes)
<br>16[ENC] parsed INFORMATIONAL request 2 [ D ]
<br>16[IKE] received DELETE for IKE_SA rw[15]
<br>16[IKE] deleting IKE_SA rw[15] between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
<br>16[IKE] IKE_SA deleted
<br>16[ENC] generating INFORMATIONAL response 2 [ ]
<br>16[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (80 bytes)
<br>06[NET] received packet: from 109.43.49.131[4798] to 172.31.11.131[500] (904 bytes)
<br>06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
<br>06[IKE] 109.43.49.131 is initiating an IKE_SA
<br>06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
<br>06[IKE] local host is behind NAT, sending keep alives
<br>06[IKE] remote host is behind NAT
<br>06[IKE] sending cert request for "C=TEST, O=TEST, CN=TEST CA"
<br>06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
<br>06[NET] sending packet: from 172.31.11.131[500] to 109.43.49.131[4798] (273 bytes)
<br>07[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (624 bytes)
<br>07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
<br>07[IKE] received cert request for "C=TEST, O=TEST, CN=TEST CA"
<br>07[IKE] received end entity cert "C=TEST, O=TEST, CN=carol.example.org"
<br>07[CFG] looking for peer configs matching 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
<br>07[CFG] selected peer config 'rw'
<br>07[CFG] using certificate "C=TEST, O=TEST, CN=carol.example.org"
<br>07[CFG] using trusted ca certificate "C=TEST, O=TEST, CN=TEST CA"
<br>07[CFG] checking certificate status of "C=TEST, O=TEST, CN=carol.example.org"
<br>07[CFG] certificate status is not available
<br>07[CFG] reached self-signed root ca with a path length of 0
<br>07[IKE] authentication of 'ccarol.example.org' with ED25519 successful
<br>07[IKE] peer supports MOBIKE
<br>07[IKE] authentication of 'moon.example.org' (myself) with ED25519 successful
<br>07[IKE] IKE_SA rw[16] established between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
<br>07[IKE] scheduling rekeying in 13852s
<br>07[IKE] maximum IKE_SA lifetime 15292s
<br>07[IKE] sending end entity cert "C=TEST, O=TEST, CN=moon.example.org"
<br>07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
<br>07[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (544 bytes)
<br>
<br>The connection list is:
<br>root@moon:~# swanctl -l
<br>rw: #16, ESTABLISHED, IKEv2, 15aaec072bc0be30_i 3fb1301da911d929_r*
<br> local 'moon.example.org' @ 172.31.11.131[4500]
<br> remote 'carol.example.org' @ 109.43.49.131[21329]
<br> AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
<br> established 516s ago, rekeying in 13336s
<br>
<br>But no child section / ipsec sa. Any ideas what is wrong here?
<br>
<br>
<br>Mit freundlichen Grüßen,
<br>
<br>
<div class="k9mail-signature">
--
<br>
<br>[*] sys4 AG
<br>
<br><a href="https://sys4.de">https://sys4.de</a>, +49 (89) 30 90 46 64
<br>Schleißheimer Straße 26/MG,80333 München
<br>
<br>Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
<br>Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
<br>Aufsichtsratsvorsitzender: Florian Kirstein
<br>
</div>
</blockquote>Sent from mobile
<br>
</blockquote><br><br>Mit freundlichen Grüßen,<br><br>
<div class="k9mail-signature">
--
<br>
<br>[*] sys4 AG
<br> <a href="https://sys4.de">https://sys4.de</a>, +49 (89) 30 90 46 64
<br>Schleißheimer Straße 26/MG,80333 München
<br> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
<br>Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
<br>Aufsichtsratsvorsitzender: Florian Kirstein
<br>
<br>
</div></pre>
</blockquote>
</div>
<div style="white-space: pre-wrap">
Sent from mobile
</div>
</blockquote>
</div>
</blockquote></div><div style='white-space: pre-wrap'>Sent from mobile</div></body></html>