<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 07.07.22 15:07,
<a class="moz-txt-link-abbreviated" href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting">noel.kuntze+strongswan-users-ml@thermi.consulting</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:B352FE17-29D5-4832-8F98-B22263F1DAD2@thermi.consulting">
<pre class="moz-quote-pre" wrap="">Hi Manfred,
If the peer is strongswqn: Initiate with --child x, not --ike x
Otherwise: client problem, it sends no TSi or TSr.
Kind regards
</pre>
</blockquote>
<blockquote type="cite"
cite="mid:B352FE17-29D5-4832-8F98-B22263F1DAD2@thermi.consulting">
<pre class="moz-quote-pre" wrap="">Noel
</pre>
</blockquote>
<p>Thanks for the fast response:</p>
<p>On carol:<br>
</p>
<p><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">root@carol:~#
swanctl -i --child home </span><br>
[IKE] establishing CHILD_SA home{4}
<br>
[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
<br>
[NET] sending packet: from 192.168.122.122[4500] to
34.198.254.90[4500] (304 bytes)
<br>
[NET] received packet: from xx.xx.xx.xx[4500] to
192.168.122.122[4500] (80 bytes)
<br>
[ENC] parsed CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
<br>
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
<br>
[IKE] failed to establish CHILD_SA, keeping IKE_SA
<br>
initiate failed: establishing CHILD_SA 'home' failed<br>
<br>
</span></p>
<p><span style="font-family:monospace">On moon:</span></p>
<p><span style="font-family:monospace"><span
style="color:#000000;background-color:#ffffff;">root@moon:~#
swanctl --log
</span><br>
13[NET] received packet: from 109.43.49.131[21329] to
172.31.11.131[4500] (304 bytes)
<br>
13[ENC] parsed CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
<br>
13[IKE] traffic selectors 172.31.11.0/24 === 192.168.122.122/32
unacceptable
<br>
13[IKE] failed to establish CHILD_SA, keeping IKE_SA
<br>
13[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
<br>
13[NET] sending packet: from 172.31.11.131[4500] to
109.43.49.131[21329] (80 bytes)
<br>
14[IKE] sending keep alive to 109.43.49.131[21329]<br>
<br>
</span>Still no success.<br>
<span style="font-family:monospace"></span></p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:B352FE17-29D5-4832-8F98-B22263F1DAD2@thermi.consulting">
<pre class="moz-quote-pre" wrap="">
Am 7. Juli 2022 12:49:06 UTC schrieb Michael Schwartzkopff <a class="moz-txt-link-rfc2396E" href="mailto:ms@sys4.de"><ms@sys4.de></a>:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hi,
I set up a RW connection according to
<a class="moz-txt-link-freetext" href="https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case">https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case</a> and
<a class="moz-txt-link-freetext" href="https://www.strongswan.org/testing/testresults/ikev2/rw-cert/">https://www.strongswan.org/testing/testresults/ikev2/rw-cert/</a>
swanctl -L shows:
root@moon:~# swanctl -L
rw: IKEv1/2, no reauthentication, rekeying every 14400s
local: %any
remote: %any
local public key authentication:
id: moon.example.org
certs: C=TEST, O=TEST, CN=moon.example.org
remote public key authentication:
rw: TUNNEL, rekeying every 3600s
local: 172.31.11.0/24
remote: dynamic
root@misch:~# swanctl -L
home: IKEv1/2, no reauthentication, rekeying every 14400s
local: %any
remote: xx.xx.xx.xx
local public key authentication:
id: carol.example.org
certs: C=TEST, O=TEST, CN=carol.example.org
remote public key authentication:
id: moon.example.org
home: TUNNEL, rekeying every 3600s
local: dynamic
remote: 172.31.11.0/24
The tunnel comes up and an IKE SA is negotiated. But no ipsec SA is formed. Any idea?
root@moon:~# swanctl --log
16[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (80 bytes)
16[ENC] parsed INFORMATIONAL request 2 [ D ]
16[IKE] received DELETE for IKE_SA rw[15]
16[IKE] deleting IKE_SA rw[15] between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
16[IKE] IKE_SA deleted
16[ENC] generating INFORMATIONAL response 2 [ ]
16[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (80 bytes)
06[NET] received packet: from 109.43.49.131[4798] to 172.31.11.131[500] (904 bytes)
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
06[IKE] 109.43.49.131 is initiating an IKE_SA
06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] sending cert request for "C=TEST, O=TEST, CN=TEST CA"
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
06[NET] sending packet: from 172.31.11.131[500] to 109.43.49.131[4798] (273 bytes)
07[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (624 bytes)
07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
07[IKE] received cert request for "C=TEST, O=TEST, CN=TEST CA"
07[IKE] received end entity cert "C=TEST, O=TEST, CN=carol.example.org"
07[CFG] looking for peer configs matching 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
07[CFG] selected peer config 'rw'
07[CFG] using certificate "C=TEST, O=TEST, CN=carol.example.org"
07[CFG] using trusted ca certificate "C=TEST, O=TEST, CN=TEST CA"
07[CFG] checking certificate status of "C=TEST, O=TEST, CN=carol.example.org"
07[CFG] certificate status is not available
07[CFG] reached self-signed root ca with a path length of 0
07[IKE] authentication of 'ccarol.example.org' with ED25519 successful
07[IKE] peer supports MOBIKE
07[IKE] authentication of 'moon.example.org' (myself) with ED25519 successful
07[IKE] IKE_SA rw[16] established between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
07[IKE] scheduling rekeying in 13852s
07[IKE] maximum IKE_SA lifetime 15292s
07[IKE] sending end entity cert "C=TEST, O=TEST, CN=moon.example.org"
07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
07[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (544 bytes)
The connection list is:
root@moon:~# swanctl -l
rw: #16, ESTABLISHED, IKEv2, 15aaec072bc0be30_i 3fb1301da911d929_r*
local 'moon.example.org' @ 172.31.11.131[4500]
remote 'carol.example.org' @ 109.43.49.131[21329]
AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
established 516s ago, rekeying in 13336s
But no child section / ipsec sa. Any ideas what is wrong here?
Mit freundlichen Grüßen,
--
[*] sys4 AG
<a class="moz-txt-link-freetext" href="https://sys4.de">https://sys4.de</a>, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Sent from mobile
</pre>
</blockquote>
<p><br>
</p>
<pre class="moz-signature" cols="72">Mit freundlichen Grüßen,
--
[*] sys4 AG
<a class="moz-txt-link-freetext" href="https://sys4.de">https://sys4.de</a>, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein</pre>
</body>
</html>