[strongSwan] TS_UNACCEPTABLE in IKEv2

Ali Masoudi masoudi1983 at gmail.com
Tue Feb 26 10:49:55 CET 2013 

Hi

I have this simple question about IKEv2. I searched in mailing list,
but I find nothing.
Can I have two tunnels between two endpoints in IKEv2, like IKEv1 with
same IKE_SA but different subnets (CHILD_SAs)?

I used config below but it didn't work. It gave me TS_UNACCEPTABLE
error during "create CHILD_SA" phase. I know I can use multiple
subnets in one configuration for a tunnel in IKEv2, but is it still
possible to configure tunnels in old ways like in IKEv1? Do I miss
something about configuring IKEv2 tunnels?

If I put multiple subnets separated by comma in config, is there any
way to put subnets in pairs instead of full mesh. I want to have fewer
policies installed in kernel.

Thank you so much in advance.
Ali

Config:

##########################################################
################### IPsec Config File ########################
##########################################################


config setup
        uniqueids="no"
        strictcrlpolicy="no"

conn %default
        keyingtries="%forever"
        leftsendcert="always"

##########################################################
##########################################################
conn test1
        authby="psk"
        auto="start"
        type="tunnel"
        compress="no"
        rekeymargin="4s"
        left="192.168.20.175"
        leftid="192.168.20.175"
        leftsubnet="192.168.100.0/24"
        right="192.168.20.176"
        rightid="192.168.20.176"
        rightsubnet="192.168.200.0/24"
        ike="aes256-md5-modp4096!"
        esp="3des-sha1-modp1024!"
        keylife="1m"
        ikelifetime="5m"
        keyexchange="ikev2"
##########################################################
##########################################################
conn test2
       authby="psk"
       auto="start"
       type="tunnel"
       compress="no"
       rekeymargin="8s"
       left="192.168.20.175"
       leftid="192.168.20.175"
       leftsubnet="192.168.1.0/24"
       right="192.168.20.176"
       rightid="192.168.20.176"
       rightsubnet="192.168.2.0/24"
       ike="aes256-md5-modp4096!"
       esp="aes256-sha1-modp1024!"
       keylife="1m"
       ikelifetime="5m"
       keyexchange="ikev2"

More information about the Users mailing list