[strongSwan] TS Unacceptable error !!

Narendra K A naren.ka at gmail.com
Tue Aug 23 15:18:01 CEST 2011


Hello everyone,

    I need some help regarding load testing against remote host. I
have my strongswan.conf file as said in the below link
    http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests

Right now i am using EAP Authentication, i.e in the strongswan.conf
file i have set *""initiator_auth = eap""*. But Tunnel is not created.
When i give ipsec statusall its telling SA NONE. In the server side
its giving *error for Tunnel down as TS Unacceptable*. So i tried
configuring *rightsubnet *in the client side *ipsec.conf* file at
*conn %default *but still its giving the same error !!

1. Does it have anything to do with *reuse_ikesa *or *ike_rekey *or
*child_rekey* or *nat_traversal *parameters in the strongswan.conf
file ?
2. Do i have to do anything with the *ip xfrm state* and *ip xfrm pol*
commands ???
3. I also observed some variations in the SA field when i give *ipsec
statusall* command immediately after a second after starting ipsec..
but after 3 or 4 seconds when i give *ipsec statusall then SA field
was NONE*... Here is the sample log..

Connections:
   load-test:  0.0.0.0...192.168.17.1
   load-test:   local:  [CN=srv, OU=load-test, O=strongSwan] uses
public key authentication
   load-test:   remote: [%any] uses EAP authentication
   load-test:   child:  dynamic === dynamic
Security Associations:
   load-test[1]: CONNECTING,
172.63.102.20[fbsr-0000000000000001 at eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in]
   load-test[1]: IKE SPIs: 18d5752ca9dc3152_i* 5eaa017e1baa4a29_r
   load-test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   load-test[2]: CONNECTING,
172.63.102.20[fbsr-0000000000000002 at eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in]
   load-test[2]: IKE SPIs: 6d04312601f85395_i* 14e8b0cbaf5a307c_r
   load-test[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   load-test[3]: CONNECTING,
172.63.102.20[fbsr-0000000000000003 at eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in]
   load-test[3]: IKE SPIs: 885ea46503d1ef5b_i* 5dccc3731da91a99_r
   load-test[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   load-test[4]: CONNECTING,
172.63.102.20[fbsr-0000000000000004 at eapds2460.iprc.nlt.in]...192.168.17.1[iprc.nlt.in]
   load-test[4]: IKE SPIs: 5df279ec4e45815e_i* 93012abd904120ec_r
   load-test[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   load-test[5]: CONNECTING, 172.63.102.20[%any]...192.168.17.1[%any]
  * load-test[5]: IKE SPIs: 770a8629b52f07cd_i* 0000000000000000_r*

Observe the above line. Here i am creating 10 iterations but after 4th
iteration IKE SPI values are zeros
*After 5 seconds.. *

strongswan-4.4.0]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.0):
  uptime: 3 seconds, since Aug 23 18:17:09 2011
  worker threads: 25 idle of 32, job queue load: 0, scheduled events: 60
  loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp
dnskey pem fips-prf xcbc hmac gmp attr load-tester kernel-netlink
socket-raw stroke updown eap-identity eap-ds2460 resolve
Listening IP addresses:
  135.254.212.216
  192.168.122.1
  172.63.102.20
Connections:
   load-test:  0.0.0.0...192.168.17.1
   load-test:   local:  [CN=srv, OU=load-test, O=strongSwan] uses
public key authentication
   load-test:   remote: [%any] uses EAP authentication
   load-test:   child:  dynamic === dynamic
Security Associations:
  none

Please help me solving this problem
Regards,
Naren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110823/6e4b498b/attachment.html>


More information about the Users mailing list