[strongSwan] leftsource ip Config failing in a particular scenario
Mohit Sharma
mohit8805 at gmail.com
Sun Apr 7 08:51:33 CEST 2013
hi ,
in the following particular scenario
PC 1 (Initiator)
ike=aes128-sha256-modp2048
esp=aes128-sha256-modp2048
leftsourceip=%cfg
rightsubnet=0.0.0.0/0
left=50.50.50.2
right=10.10.10.2
PC2 (Responder)
ike=aes128-sha256-modp2048
esp=aes128-sha1-modp2048
rightsourceip=10.3.4.10/24
leftsubnet=102.2.3.10/32,102.2.3.11/32,102.2.3.12/32
left=10.10.10.2
right=50.50.50.2
when i triggered an SA ,only IKE SA established ,which is correct as
Phase 2 proposal mismatch occured.
but when i corrected the esp proposal on PC2 ran ipsec update on
PC2,and again triggered SA from PC1 ,as IKE was not destroyed ,so
CREATE_CHILD was seen,but TS mismatch occured.which is unexpected.
LOGS AT INITIATIATOR
selecting Traffic selector for us
0.0.0.0/0
selecting Traffic selector for other
0.0.0.0/0....
parsed Create_child () TS_MISMATCH...
Now at PC 1 i changed leftsourceip=%cfg,%cfg ,and ran update,so that
IKE sa is still intact,and triggered SA again,This time it formed with
10.3.4.11/32,10.3.4.12/32====102.2.3.10/32,102.2.3.11/32,102.2.3.12/32
Please if anyone can explain this behaviour,i think the config payload
should have been responded and virtual ip should have been allocated
the very first time.
--
Regards
Mohit
More information about the Users
mailing list