[strongSwan] PROBLEM "received TS_UNACCEPTABLE notify, no CHILD_SA built"

Igor Lopez Orbe igorlor at gmail.com
Fri Jul 6 12:00:14 CEST 2012


Hello Martin,

Thank you so much for your help!

ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 96 seconds, since Jul 06 11:54:20 2012
  malloc: sbrk 270336, mmap 0, used 250208, free 20128
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  192.168.1.93
  10.1.0.1
  192.168.1.22
  192.168.122.1
  192.168.100.1
  10.8.0.2
Connections:
     net-net:  192.168.1.93...192.168.1.118
     net-net:   local:  [moon.strongswan.org] uses pre-shared key authentication
     net-net:   remote: [sun.strongswan.org] uses any authentication
     net-net:   child:  10.1.0.0/16 === 10.2.0.0/16
Security Associations:
     net-net[1]: ESTABLISHED 75 seconds ago,
192.168.1.93[moon.strongswan.org]...192.168.1.118[sun.strongswan.org]
     net-net[1]: IKE SPIs: eb0ceaa5e18cc3d3_i a1a71423b04cec60_r*,
pre-shared key reauthentication in 54 minutes
     net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c91ae2c0_i c755d56e_o
     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 1260 bytes_i (24s ago),
1260 bytes_o (24s ago), rekeying in 14 minutes
     net-net{1}:   10.1.0.0/16 === 10.2.0.0/16

What i dont know know is why when i do ping from one side to the other
one in the tcpdump doesnt appear anything about encryption

11:58:11.032033 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 4, length 64
11:58:12.032493 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 5, length 64
11:58:13.031936 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 6, length 64
11:58:14.031969 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 7, length 64
11:58:15.032215 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 8, length 64
11:58:16.031937 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 9, length 64
11:58:17.031921 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
seq 10, length 64


Should i add something more for that?

regards,

igorlor

2012/7/6 Martin Willi <martin at strongswan.org>:
> Hello Igor,
>
>> received TS_UNACCEPTABLE notify, no CHILD_SA built
>
>>      leftsubnet=10.2.0.0/16
>>      leftid=@moon.strongswan.org
>>      rightsubnet=10.1.0.0/16
>>      rightid=@sun.strongswan.org
>
>>      leftsubnet=10.2.0.0/16
>>      leftid=@sun.strongswan.org
>>      rightsubnet=10.1.0.0/16
>>      rightid=@moon.strongswan.org
>
> Your left/rightsubnet definitions do not match, both peers claim that
> the 10.2.0.0/16 subnet is theirs. Who should have the 10.2.0.0/16
> subnet, sun or moon?
>
> Regards
> Martin
>




More information about the Users mailing list