[strongSwan] Fw: TS_UNACCEPTABLE, no CHILD_SA built
nocontrol at gmx.net
nocontrol at gmx.net
Thu Jun 6 10:56:35 CEST 2013
[resent as plaintext mail]
Hello
I am facing a problem with setting up a tunnel between a roadwarrior behind a NAT to an internet based ubuntu server:
[roadwarrior (behind nat), strongswan 5.0.4] [>---> tunnel >--->] [ubuntu, strongswan 5.0.0]
ikev2, psk
Please take a look at my log files, I get these errors:
serverside:
Jun 6 09:16:15 kvm21729 charon: 16[IKE] traffic selectors 0.0.0.0/0 === 192.168.67.176/32 inacceptable
Jun 6 09:16:15 kvm21729 charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
clientside:
14[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
14[IKE] failed to establish CHILD_SA, keeping IKE_SA
Do you know what to fix?
Are my ipsec.conf files OK?
Where do I find more information about TS_UNACCEPTABLE?
Roadwarrior Config:
-------------------------------------------
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn myconn
left=%defaultroute
leftid=myuser
leftfirewall=no
right=vpn.xxx.net
rightsubnet=0.0.0.0/0
type=tunnel
auto=add
-------------------------------------------
Ubuntu Server Config:
conn mint
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
left=%defaultroute
leftfirewall=yes
right=%any
auto=add
-------------------------------------------
Client Output
--------------------------
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.5.0-17-generic, i686)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for %any
00[CFG] loaded EAP secret for xxx
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
00[JOB] spawning 16 worker threads
charon (2753) started after 220 ms
09[CFG] received stroke: add connection 'myconn'
09[CFG] left nor right host is our side, assuming left=local
09[CFG] added configuration 'myconn'
11[CFG] received stroke: initiate 'myconn'
12[IKE] initiating IKE_SA myconn[1] to 1xx.2xx.51.27
12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
12[NET] sending packet: from 192.168.67.176[500] to 1xx.2xx.51.27[500] (708 bytes)
13[NET] received packet: from 1xx.2xx.51.27[500] to 192.168.67.176[500] (440 bytes)
13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
13[IKE] local host is behind NAT, sending keep alives
13[IKE] authentication of 'myuser' (myself) with pre-shared key
13[IKE] establishing CHILD_SA myconn
13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
13[NET] sending packet: from 192.168.67.176[4500] to 1xx.2xx.51.27[4500] (412 bytes)
14[NET] received packet: from 1xx.2xx.51.27[4500] to 192.168.67.176[4500] (156 bytes)
14[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
14[IKE] authentication of 'vpn.xxx.net' with pre-shared key successful
14[IKE] IKE_SA myconn[1] established between 192.168.67.176[id_xxx]...1xx.2xx.51.27[vpn.xxx.net]
14[IKE] scheduling reauthentication in 3241s
14[IKE] maximum IKE_SA lifetime 3421s
14[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
14[IKE] failed to establish CHILD_SA, keeping IKE_SA
14[IKE] received AUTH_LIFETIME of 3312s, scheduling reauthentication in 3132s
14[IKE] peer supports MOBIKE
09[IKE] sending keep alive to 1xx.2xx.51.27[4500]
--------------------------
--------------------------
client --nofork output
--------------------------
initiating IKE_SA myconn[1] to 1xx.2xx.51.27
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.67.176[500] to 1xx.2xx.51.27[500] (708 bytes)
received packet: from 1xx.2xx.51.27[500] to 192.168.67.176[500] (440 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
authentication of 'myuser' (myself) with pre-shared key
establishing CHILD_SA myconn
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.67.176[4500] to 1xx.2xx.51.27[4500] (412 bytes)
received packet: from 1xx.2xx.51.27[4500] to 192.168.67.176[4500] (156 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
authentication of 'vpn.xxx.net' with pre-shared key successful
IKE_SA myconn[1] established between 192.168.67.176[myuser]...1xx.2xx.51.27[vpn.xxx.net]
scheduling reauthentication in 3241s
maximum IKE_SA lifetime 3421s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'myconn' failed
-------------------------------------------------------
-------------------------------------------------------
server - syslog
-------------------------------------------------------
Jun 6 09:16:15 kvm21729 charon: 16[CFG] looking for peer configs matching 1xx.2xx.51.27[vpn.xxx.net]...195.65.221.149[myuser]
Jun 6 09:16:15 kvm21729 kernel: [1850459.360251] [UFW AUDIT] IN=eth0 OUT= MAC=52:54:00:27:59:87:74:8e:f8:ce:9f:1e:08:00 SRC=195.65.221.149 DST=1xx.2xx.51.27 LEN=444 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=43292 DPT=4500 LEN=424
Jun 6 09:16:15 kvm21729 kernel: [1850459.362679] [UFW AUDIT] IN= OUT=eth0 SRC=1xx.2xx.51.27 DST=91.227.204.227 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=52288 DF PROTO=UDP SPT=56795 DPT=53 LEN=47
Jun 6 09:16:15 kvm21729 kernel: [1850459.362689] [UFW ALLOW] IN= OUT=eth0 SRC=1xx.2xx.51.27 DST=91.227.204.227 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=52288 DF PROTO=UDP SPT=56795 DPT=53 LEN=47
Jun 6 09:16:15 kvm21729 charon: 16[CFG] selected peer config 'mint'
Jun 6 09:16:15 kvm21729 charon: 16[IKE] authentication of 'myuser' with pre-shared key successful
Jun 6 09:16:15 kvm21729 charon: 16[IKE] peer supports MOBIKE
Jun 6 09:16:15 kvm21729 charon: 16[IKE] authentication of 'vpn.xxx.net' (myself) with pre-shared key
Jun 6 09:16:15 kvm21729 charon: 16[IKE] IKE_SA mint[5] established between 1xx.2xx.51.27[vpn.xxx.net]...195.65.221.149[myuser]
Jun 6 09:16:15 kvm21729 charon: 16[IKE] scheduling reauthentication in 3312s
Jun 6 09:16:15 kvm21729 charon: 16[IKE] maximum IKE_SA lifetime 3492s
Jun 6 09:16:15 kvm21729 charon: 16[IKE] traffic selectors 0.0.0.0/0 === 192.168.67.176/32 inacceptable
Jun 6 09:16:15 kvm21729 charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 6 09:16:15 kvm21729 charon: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
Jun 6 09:16:15 kvm21729 charon: 16[NET] sending packet: from 1xx.2xx.51.27[4500] to 195.65.221.149[43292]
Jun 6 09:16:28 kvm21729 kernel: [1850472.218518] [UFW AUDIT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:52:54:00:46:40:69:08:00 SRC=1xx.2xx.50.187 DST=255.255.255.255 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5678 DPT=5678 LEN=97
Jun 6 09:16:28 kvm21729 kernel: [1850472.650618] [UFW AUDIT] IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:52:54:00:27:36:a1:08:00 SRC=1xx.2xx.50.137 DST=255.255.255.255 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5678 DPT=5678 LEN=97
More information about the Users
mailing list