[strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

[Noel Kuntze]

Hello,

On 12.06.2017 10:10, Dharrshen ( N'osairis ) wrote:
>
>     config connection
>             option ikeversion '2'
>             option enabled 'yes'
>             option name 'VPNHUB01'
>             option waniface 'wan1 wan2'
>             option locallan '11.11.11.1'
>             option locallanmask '255.255.255.0'
>             option remoteaddress '103.54.93.45'
>             option remotelan '12.12.12.1'
>             option remotelanmask '255.255.255.0'
>             option type 'tunnel'
>             option dpdaction 'restart'
>             option dpddelay '30s'
>             option dpdtimeout '120s'
>             option ike 'aes128-sha1-modp1024'
>             option esp 'aes128-sha1'
>             option ikelifetime '24h'
>             option rekeymargin '9m'
>             option keylife '8h'
>             option keyingtries '%forever'
>             option auto 'start'
>             option authby 'psk'
>
>     config secret
>             option enabled 'yes'
>             option remoteaddress '103.54.93.45'
>             option secret 'cisco'
>             option secrettype 'psk'
>
>
>
You might have a lot of trouble getting this to work with OpenWRT and the default firewall. Write your own rules, don't use LUCI.
Also: use auto=route, not auto=start and make sure to use better ciphers and KEX algorithms.
I hope that isn't your actual PSK. It's very weak and I guess anybody can bruteforce it under 5 tries.

> Logs lines :
>
>     Jun 12 14:49:22 daemon.info <http://daemon.info> 00E0C813015C ipsec: 10[NET] <VPNHUB01|1> received packet: from 103.54.93.45[4500] to 10.8.162.93[4500] (220 bytes)
>     Jun 12 14:49:22 daemon.info <http://daemon.info> 00E0C813015C ipsec: 10[ENC] <VPNHUB01|1> parsed CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
>     Jun 12 14:49:22 daemon.info <http://daemon.info> 00E0C813015C ipsec: 10[IKE] <VPNHUB01|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
>     Jun 12 14:49:22 daemon.info <http://daemon.info> 00E0C813015C ipsec: 10[IKE] <VPNHUB01|1> failed to establish CHILD_SA, keeping IKE_SA
>     Jun 12 14:49:45 daemon.info <http://daemon.info> 00E0C813015C ipsec: 10[IKE] <VPNHUB01|1> sending keep alive to 103.54.93.45[4500]
>     Jun 12 14:49:52 daemon.info <http://daemon.info> 00E0C813015C ipsec: 11[IKE] <VPNHUB01|1> sending DPD request
>
The remote peer sends you an error indicating the leftsubnet and rightsubnet parameters are invalid. Verify the settings
and/or ask the remote peer for logs.

Kind regards

Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170613/6a485e82/attachment.sig>