[strongSwan] Issue found in strongswan-5.0.1rc1

Robert Lee rleeatgm at gmail.com
Wed Sep 26 07:03:03 CEST 2012


OK, to double check, I also tried the same settings in the 5.0.0 release.
Here are the combinations and results:
5.0.0 carol  <===>  5.0.0 moon:       SUCCESS
5.0.0 carol  <===>  5.0.1rc1 moon:   SUCCESS
5.0.1rc1 carol  <===>  5.0.0 moon:     FAILED
5.0.1rc1 carol  <===>  5.0.1rc1 moon: FAILED
Looks like the error is being introduced in the 5.0.1rc1 code on the client
part. Or, is 5.0.1rc1 correcting 5.0.0?

moon's ipsec.conf:
    leftsubnet=10.10.10.0/24
    rightsourceip=10.10.10.1
carol's ipsec.conf:
    rightsubnet=0.0.0.0/24

================ SUCCESS ===============
charon: 13[IKE] assigning virtual IP 10.10.10.1 to peer '
carol at strongswan.org'
charon: 13[IKE] CHILD_SA client_1{1} established with SPIs c1429c27_i
cf30a61d_o and TS 10.10.10.0/24 === 10.10.10.1/32
charon: 13[ENC] generating IKE_AUTH response 3 [ AUTH CP(ADDR) SA TSi TSr
N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]

================ FAILED ===============
charon: 13[IKE] assigning virtual IP 10.10.10.1 to peer '
carol at strongswan.org'
charon: 13[IKE] traffic selectors 0.0.0.0/24 === 0.0.0.0/0  inacceptable
charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
charon: 13[ENC] generating IKE_AUTH response 3 [ AUTH CP(ADDR) N(AUTH_LFT)
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]

Thank you!
Robert

On Tue, Sep 25, 2012 at 8:36 PM, Richard Andrews <
richard.andrews at symstream.com> wrote:

> 0.0.0.0/24 and 10.0.0.0/24 have no address space in common.
>
> On Tue, 2012-09-25 at 17:32 -0700, Robert Lee wrote:
> > Dear StrongSwan Developer,
> >
> > It appears that the server is not doing the TS narrowing. On the
> > server side, I am using leftsubnet=10.10.10.0/24. On the client side,
> > I am using rightsubnet=0.0.0.0/24:
> >
> > charon: 05[IKE] assigning virtual IP 10.10.10.1 to peer '
> carol at strongswan.org'
> > charon: 05[IKE] traffic selectors 0.0.0.0/24 === 0.0.0.0/0  inacceptable
> > charon: 05[IKE] failed to establish CHILD_SA, keeping IKE_SA
> > charon: 05[ENC] generating IKE_AUTH response 3 [ AUTH CP(ADDR)
> N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
> >
> > Thank you!
> > Robert
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120925/8cd03a88/attachment.html>


More information about the Users mailing list