[strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

Dharrshen ( N'osairis ) dharrshen at nosairis.com
Mon Jun 12 10:10:17 CEST 2017 

Hi Everyone,

I'm in midst of building IPsec tunnel towards a Mikrotik router.
Phase 1 IKE establishes successfully but Phase 2 CHILD_SA fails. Kindly
advise me on the failing point.

My strongswan config is as below :

package strongswan

config general 'general'
        option strictcrlpolicy 'no'
        option cachecrls 'no'
        option crlcheckinterval '0'
        option uniqueids 'yes'
        option enabled '1'
        option keepalive '30'
        option debug 'all'

config connection
        option ikeversion '2'
        option enabled 'yes'
        option name 'VPNHUB01'
        option waniface 'wan1 wan2'
        option locallan '11.11.11.1'
        option locallanmask '255.255.255.0'
        option remoteaddress '103.54.93.45'
        option remotelan '12.12.12.1'
        option remotelanmask '255.255.255.0'
        option type 'tunnel'
        option dpdaction 'restart'
        option dpddelay '30s'
        option dpdtimeout '120s'
        option ike 'aes128-sha1-modp1024'
        option esp 'aes128-sha1'
        option ikelifetime '24h'
        option rekeymargin '9m'
        option keylife '8h'
        option keyingtries '%forever'
        option auto 'start'
        option authby 'psk'

config secret
        option enabled 'yes'
        option remoteaddress '103.54.93.45'
        option secret 'cisco'
        option secrettype 'psk'



Logs lines :

Jun 12 14:48:37 daemon.info 00E0C813015C ipsec: 11[IKE] <VPNHUB01|1>
initiating IKE_SA VPNHUB01[1] to 103.54.93.45
Jun 12 14:48:37 daemon.info 00E0C813015C ipsec: 11[ENC] <VPNHUB01|1>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 12 14:48:37 daemon.info 00E0C813015C ipsec: 11[NET] <VPNHUB01|1>
sending packet: from 10.8.162.93[500] to 103.54.93.45[500] (564 bytes)
Jun 12 14:48:38 daemon.info 00E0C813015C ipsec: 12[NET] <VPNHUB01|1>
received packet: from 103.54.93.45[500] to 10.8.162.93[500] (296 bytes)
Jun 12 14:48:38 daemon.info 00E0C813015C ipsec: 12[ENC] <VPNHUB01|1> parsed
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 12 14:48:38 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1> local
host is behind NAT, sending keep alives
Jun 12 14:48:38 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1>
authentication of '10.8.162.93' (myself) with pre-shared key
Jun 12 14:48:38 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1>
establishing CHILD_SA VPNHUB01
Jun 12 14:48:38 daemon.info 00E0C813015C ipsec: 12[ENC] <VPNHUB01|1>
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
Jun 12 14:48:39 daemon.info 00E0C813015C ipsec: 12[NET] <VPNHUB01|1>
sending packet: from 10.8.162.93[4500] to 103.54.93.45[4500] (348 bytes)
Jun 12 14:48:43 daemon.info 00E0C813015C ipsec: 08[IKE] <VPNHUB01|1>
retransmit 1 of request with message ID 1
Jun 12 14:48:43 daemon.info 00E0C813015C ipsec: 08[NET] <VPNHUB01|1>
sending packet: from 10.8.162.93[4500] to 103.54.93.45[4500] (348 bytes)
Jun 12 14:48:50 daemon.info 00E0C813015C ipsec: 11[IKE] <VPNHUB01|1>
retransmit 2 of request with message ID 1
Jun 12 14:48:50 daemon.info 00E0C813015C ipsec: 11[NET] <VPNHUB01|1>
sending packet: from 10.8.162.93[4500] to 103.54.93.45[4500] (348 bytes)
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[NET] <VPNHUB01|1>
received packet: from 103.54.93.45[4500] to 10.8.162.93[4500] (348 bytes)
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[ENC] <VPNHUB01|1> parsed
IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1>
authentication of '103.54.93.45' with pre-shared key successful
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1> IKE_SA
VPNHUB01[1] established between 10.8.162.93[10.8.162.93]...
103.54.93.45[103.54.93.45]
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1>
scheduling rekeying in 85411s
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1>
maximum IKE_SA lifetime 85951s
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1>
received TS_UNACCEPTABLE notify, no CHILD_SA built
Jun 12 14:48:51 daemon.info 00E0C813015C ipsec: 12[IKE] <VPNHUB01|1> failed
to establish CHILD_SA, keeping IKE_SA
Jun 12 14:49:21 daemon.info 00E0C813015C ipsec: 11[IKE] <VPNHUB01|1>
establishing CHILD_SA VPNHUB01
Jun 12 14:49:21 daemon.info 00E0C813015C ipsec: 11[ENC] <VPNHUB01|1>
generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
Jun 12 14:49:21 daemon.info 00E0C813015C ipsec: 11[NET] <VPNHUB01|1>
sending packet: from 10.8.162.93[4500] to 103.54.93.45[4500] (300 bytes)
Jun 12 14:49:22 daemon.info 00E0C813015C ipsec: 10[NET] <VPNHUB01|1>
received packet: from 103.54.93.45[4500] to 10.8.162.93[4500] (220 bytes)
Jun 12 14:49:22 daemon.info 00E0C813015C ipsec: 10[ENC] <VPNHUB01|1> parsed
CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Jun 12 14:49:22 daemon.info 00E0C813015C ipsec: 10[IKE] <VPNHUB01|1>
received TS_UNACCEPTABLE notify, no CHILD_SA built
Jun 12 14:49:22 daemon.info 00E0C813015C ipsec: 10[IKE] <VPNHUB01|1> failed
to establish CHILD_SA, keeping IKE_SA
Jun 12 14:49:45 daemon.info 00E0C813015C ipsec: 10[IKE] <VPNHUB01|1>
sending keep alive to 103.54.93.45[4500]
Jun 12 14:49:52 daemon.info 00E0C813015C ipsec: 11[IKE] <VPNHUB01|1>
sending DPD request
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170612/7aad013a/attachment.html>

More information about the Users mailing list