[strongSwan] PROBLEM "received TS_UNACCEPTABLE notify, no CHILD_SA built"
Igor Lopez Orbe
igorlor at gmail.com
Fri Jul 6 12:00:14 CEST 2012
Hello Martin,
Thank you so much for your help!
ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 96 seconds, since Jul 06 11:54:20 2012
malloc: sbrk 270336, mmap 0, used 250208, free 20128
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
192.168.1.93
10.1.0.1
192.168.1.22
192.168.122.1
192.168.100.1
10.8.0.2
Connections:
net-net: 192.168.1.93...192.168.1.118
net-net: local: [moon.strongswan.org] uses pre-shared key authentication
net-net: remote: [sun.strongswan.org] uses any authentication
net-net: child: 10.1.0.0/16 === 10.2.0.0/16
Security Associations:
net-net[1]: ESTABLISHED 75 seconds ago,
192.168.1.93[moon.strongswan.org]...192.168.1.118[sun.strongswan.org]
net-net[1]: IKE SPIs: eb0ceaa5e18cc3d3_i a1a71423b04cec60_r*,
pre-shared key reauthentication in 54 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c91ae2c0_i c755d56e_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 1260 bytes_i (24s ago),
1260 bytes_o (24s ago), rekeying in 14 minutes
net-net{1}: 10.1.0.0/16 === 10.2.0.0/16
What i dont know know is why when i do ping from one side to the other
one in the tcpdump doesnt appear anything about encryption
11:58:11.032033 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 4, length 64
11:58:12.032493 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 5, length 64
11:58:13.031936 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 6, length 64
11:58:14.031969 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 7, length 64
11:58:15.032215 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 8, length 64
11:58:16.031937 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 9, length 64
11:58:17.031921 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 10, length 64
Should i add something more for that?
regards,
igorlor
2012/7/6 Martin Willi <martin at strongswan.org>:
> Hello Igor,
>
>> received TS_UNACCEPTABLE notify, no CHILD_SA built
>
>> leftsubnet=10.2.0.0/16
>> leftid=@moon.strongswan.org
>> rightsubnet=10.1.0.0/16
>> rightid=@sun.strongswan.org
>
>> leftsubnet=10.2.0.0/16
>> leftid=@sun.strongswan.org
>> rightsubnet=10.1.0.0/16
>> rightid=@moon.strongswan.org
>
> Your left/rightsubnet definitions do not match, both peers claim that
> the 10.2.0.0/16 subnet is theirs. Who should have the 10.2.0.0/16
> subnet, sun or moon?
>
> Regards
> Martin
>
More information about the Users
mailing list