[strongSwan] no matching CHILD_SA config found

Rolf Schöpfer rolf at samplezone.ch
Thu May 22 12:18:32 CEST 2014 

Ok, I did compare with working Monowall - strongSwan VPN connection:

May 22 11:40:11 development charon: 13[CFG] looking for a child config for 10.10.200.182/32 === 10.10.10.0/24
May 22 11:40:11 development charon: 13[CFG] proposing traffic selectors for us:
May 22 11:40:11 development charon: 13[CFG]  10.10.200.182/32
May 22 11:40:11 development charon: 13[CFG] proposing traffic selectors for other:
May 22 11:40:11 development charon: 13[CFG]  10.10.10.0/24
May 22 11:40:11 development charon: 13[CFG]   candidate "host-szlan" with prio 5+5 <--------------------
May 22 11:40:11 development charon: 13[CFG] found matching child config "host-szlan" with prio 10 <-----------------------

And this is from none working Fritzbox - strongSwan VPN:

May 22 11:49:42 development charon: 15[CFG] looking for a child config for 10.10.200.182/32 === 192.186.1.0/24
May 22 11:49:42 development charon: 15[CFG] proposing traffic selectors for us:
May 22 11:49:42 development charon: 15[CFG]  10.10.200.182/32
May 22 11:49:42 development charon: 15[CFG] proposing traffic selectors for other:
May 22 11:49:42 development charon: 15[CFG]  192.168.1.0/24
May 22 11:49:42 development charon: 15[IKE] no matching CHILD_SA config found <---------------- ??
May 22 11:49:44 development charon: 14[IKE] received retransmit of request with ID 2790626486, but no response to retransmit


What is CFG searchig for? Here is my output of ipsec statusall:

...
Connections:
   host-szlan:  [xx.xx.xx.xx]...xx.xx.xx.xx  IKEv1
   host-szlan:   local:  [xx.xx.xx.xx] uses pre-shared key authentication
   host-szlan:   remote: [xx.xx.xx.xx] uses pre-shared key authentication
   host-szlan:   child:  10.10.200.182/32 === 10.10.10.0/24 TUNNEL
   host-rslan:  xx.xx.xx.xx...xx.xx.xx.xx  IKEv1
   host-rslan:   local:  [xx.xx.xx.xx] uses pre-shared key authentication
   host-rslan:   remote: [xx.xx.xx.xx] uses pre-shared key authentication
   host-rslan:   child:  10.10.200.182/32 === 192.168.1.0/24 TUNNEL <-----------------
Security Associations (1 up, 0 connecting):
   host-rslan[2]: ESTABLISHED 7 minutes ago, xx.xx.xx.xx[xx.xx.xx.xx]...xx.xx.xx.xx[xx.xx.xx.xx]
   host-rslan[2]: IKEv1 SPIs: a47ba89dc8176417_i 07868acea7ead42a_r*, pre-shared key reauthentication in 49 minutes
   host-rslan[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024


I see child definition which should match but doesn't. Any ideas?

Thanks

Rolf

Am 21.05.2014 19:01, schrieb Rolf Schöpfer:
> Hi
>
> It's my sceond day trying to establish site2site VPN between fritzbox - strongswan. I did succeed with monowall - strongswan, so it shouldn't be a problem but unfortunately it is:
>
> May 21 18:54:56 development charon: 16[IKE] received XAuth vendor ID
> May 21 18:54:56 development charon: 16[IKE] received DPD vendor ID
> May 21 18:54:56 development charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
> May 21 18:54:56 development charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
> May 21 18:54:56 development charon: 16[IKE] xx.xx.xx.xx is initiating a Main Mode IKE_SA
> May 21 18:54:56 development charon: 03[IKE] remote host is behind NAT
> May 21 18:54:56 development charon: 02[CFG] looking for pre-shared key peer configs matching xx.xx.xx.xx...xx.xx.xx.xx[xx.xx.xx.xx]
> May 21 18:54:56 development charon: 02[CFG] selected peer config "host-rslan"
> May 21 18:54:56 development charon: 02[IKE] IKE_SA host-rslan[1] established between xx.xx.xx.xx[xx.xx.xx.xx]...xx.xx.xx.xx[xx.xx.xx.xx]
> May 21 18:54:56 development charon: 02[IKE] scheduling reauthentication in 3272s
> May 21 18:54:56 development charon: 02[IKE] maximum IKE_SA lifetime 3452s
> May 21 18:54:56 development charon: 13[IKE] no matching CHILD_SA config found
> May 21 18:54:58 development charon: 14[IKE] received retransmit of request with ID 320192822, but no response to retransmit
> May 21 18:55:02 development charon: 15[IKE] received retransmit of request with ID 320192822, but no response to retransmit
>
> What does this message mean: "no matching CHILD_SA config found"?
>
> Thanks for any help.
>
> Rolf
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>

More information about the Users mailing list