[strongSwan] PROBLEM "received TS_UNACCEPTABLE notify, no CHILD_SA built"

Igor Lopez Orbe igorlor at gmail.com
Fri Jul 6 12:11:02 CEST 2012


Sorry, bad filter of tcpdump, it works fine:

# tcpdump -i eth0 | grep ESP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:10:00.159139 IP 192.168.1.93 > 192.168.1.118:
ESP(spi=0xc2f23b3e,seq=0x1f), length 132
12:10:00.159184 IP 192.168.1.118 > 192.168.1.93:
ESP(spi=0xc4ceb00e,seq=0x1f), length 132
12:10:01.159058 IP 192.168.1.93 > 192.168.1.118:
ESP(spi=0xc2f23b3e,seq=0x20), length 132
12:10:01.159095 IP 192.168.1.118 > 192.168.1.93:
ESP(spi=0xc4ceb00e,seq=0x20), length 132


Thanks again!

regards,

igorlor

2012/7/6 Igor Lopez Orbe <igorlor at gmail.com>:
> Hello Martin,
>
> Thank you so much for your help!
>
> ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.5.2):
>   uptime: 96 seconds, since Jul 06 11:54:20 2012
>   malloc: sbrk 270336, mmap 0, used 250208, free 20128
>   worker threads: 7 idle of 16, job queue load: 0, scheduled events: 2
>   loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
> agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
> socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
> eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
> Listening IP addresses:
>   192.168.1.93
>   10.1.0.1
>   192.168.1.22
>   192.168.122.1
>   192.168.100.1
>   10.8.0.2
> Connections:
>      net-net:  192.168.1.93...192.168.1.118
>      net-net:   local:  [moon.strongswan.org] uses pre-shared key authentication
>      net-net:   remote: [sun.strongswan.org] uses any authentication
>      net-net:   child:  10.1.0.0/16 === 10.2.0.0/16
> Security Associations:
>      net-net[1]: ESTABLISHED 75 seconds ago,
> 192.168.1.93[moon.strongswan.org]...192.168.1.118[sun.strongswan.org]
>      net-net[1]: IKE SPIs: eb0ceaa5e18cc3d3_i a1a71423b04cec60_r*,
> pre-shared key reauthentication in 54 minutes
>      net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>      net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c91ae2c0_i c755d56e_o
>      net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 1260 bytes_i (24s ago),
> 1260 bytes_o (24s ago), rekeying in 14 minutes
>      net-net{1}:   10.1.0.0/16 === 10.2.0.0/16
>
> What i dont know know is why when i do ping from one side to the other
> one in the tcpdump doesnt appear anything about encryption
>
> 11:58:11.032033 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
> seq 4, length 64
> 11:58:12.032493 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
> seq 5, length 64
> 11:58:13.031936 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
> seq 6, length 64
> 11:58:14.031969 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
> seq 7, length 64
> 11:58:15.032215 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
> seq 8, length 64
> 11:58:16.031937 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
> seq 9, length 64
> 11:58:17.031921 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305,
> seq 10, length 64
>
>
> Should i add something more for that?
>
> regards,
>
> igorlor
>
> 2012/7/6 Martin Willi <martin at strongswan.org>:
>> Hello Igor,
>>
>>> received TS_UNACCEPTABLE notify, no CHILD_SA built
>>
>>>      leftsubnet=10.2.0.0/16
>>>      leftid=@moon.strongswan.org
>>>      rightsubnet=10.1.0.0/16
>>>      rightid=@sun.strongswan.org
>>
>>>      leftsubnet=10.2.0.0/16
>>>      leftid=@sun.strongswan.org
>>>      rightsubnet=10.1.0.0/16
>>>      rightid=@moon.strongswan.org
>>
>> Your left/rightsubnet definitions do not match, both peers claim that
>> the 10.2.0.0/16 subnet is theirs. Who should have the 10.2.0.0/16
>> subnet, sun or moon?
>>
>> Regards
>> Martin
>>




More information about the Users mailing list