[strongSwan] Inacceptable Traffic selectors...
Dan Cook
onedsc at gmail.com
Sat Aug 31 02:37:47 CEST 2013
I am trying to track down a connection issue and I tracked it down to an
"inacceptable" traffic selector error on a transport connection with the
route=auto.
What is very strange is I can bring the connection manually using the
"ipsec up" command and the connection is established.
I am really stumped on this one...
I am using 5.1.0 in transport mode with the following config.
# basic configuration
config setup
strictcrlpolicy=no
uniqueids = no
Here are my connection defaults:
# Default connection attributes for ipsec.conf
#
conn %default
authby=secret
mobike=no
closeaction=none
dpdaction=clear
dpddelay=30s
dpdtimeout=150s
inactivity=30m
ikelifetime=3h
keyexchange=ikev2
keyingtries=3
lifetime=1h
reauth=yes
rekey=yes
margintime=9m
esp=aes256!
ike=aes256-sha384-prfsha384-ecp384!
forceencaps=yes
type=transport
auto=route
Here is the connections in question:
conn 4.6.3000.10-98-108-194.0
left=%any
leftid=a27
leftprotoport=6/3000
rightid=a26
right=10.98.108.194
rightprotoport=6/%any
I should note there are other connections in transport mode to this server
on port 80 and 3306 and they are connected without issue.
013-08-30T17:22:03-0700 01[MGR] checkout IKE_SA
2013-08-30T17:22:03-0700 01[MGR] IKE_SA 4.17.0.10-98-108-199.11211[6]
successfully checked out
2013-08-30T17:22:03-0700 01[KNL] querying policy
10.98.108.199/32[tcp/11211]<http://10.98.108.199/32%5Btcp/11211%5D>===
10.98.108.195/32[tcp] <http://10.98.108.195/32%5Btcp%5D> in (mark
0/0x00000000)
2013-08-30T17:22:03-0700 01[MGR] checkin IKE_SA
4.17.0.10-98-108-199.11211[6]
2013-08-30T17:22:03-0700 01[MGR] check-in of IKE_SA successful.
2013-08-30T17:22:03-0700 09[NET] received packet: from 10.98.108.194[4500]
to 10.98.108.195[4500]
2013-08-30T17:22:03-0700 09[NET] waiting for data on sockets
2013-08-30T17:22:03-0700 16[MGR] checkout IKE_SA by message
2013-08-30T17:22:03-0700 16[MGR] IKE_SA 4.6.80.10-98-108-194.0[5]
successfully checked out
2013-08-30T17:22:03-0700 16[NET] received packet: from 10.98.108.194[4500]
to 10.98.108.195[4500] (248 bytes)
2013-08-30T17:22:03-0700 16[ENC] parsed CREATE_CHILD_SA request 99 [
N(USE_TRANSP) SA No TSi TSr ]
2013-08-30T17:22:03-0700 16[CFG] looking for a child config for
10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D>
10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> ===
10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D>
10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D>
2013-08-30T17:22:03-0700 16[CFG] looking for a child config for
10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D>
10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> ===
10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D>
10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D>
2013-08-30T17:22:03-0700 16[IKE] traffic selectors
10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D>
10.98.108.195/32[tcp/3000] <http://10.98.108.195/32%5Btcp/3000%5D> ===
10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D>
10.98.108.194/32[tcp] <http://10.98.108.194/32%5Btcp%5D> inacceptable
2013-08-30T17:22:03-0700 16[IKE] failed to establish CHILD_SA, keeping
IKE_SA
2013-08-30T17:22:03-0700 16[ENC] generating CREATE_CHILD_SA response 99 [
N(TS_UNACCEPT) ]
2013-08-30T17:22:03-0700 16[NET] sending packet: from 10.98.108.195[4500]
to 10.98.108.194[4500] (88 bytes)
2013-08-30T17:22:03-0700 06[NET] sending packet: from 10.98.108.195[4500]
to 10.98.108.194[4500]
2013-08-30T17:22:03-0700 16[MGR] checkin IKE_SA 4.6.80.10-98-108-194.0[5]
2013-08-30T17:22:03-0700 16[MGR] check-in of IKE_SA successful.
Any suggestions as to why the connection will not come up by itself?
Regards,
Dan Cook
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/c807b1de/attachment.html>
More information about the Users
mailing list