[strongSwan] Help with understanding traffic selectors match

Enrico Cavalli enrico.cavalli at gmail.com
Thu Nov 30 22:06:48 CET 2017 

Probably I simply do not understand IKEv2 traffic selectors at all ... 

I have servers on my side (behind pfsense) and on the other side (behind Checkpoint that is not under my control).

If I initiate traffic between my 172.16.199.0/24 to  for instance 10.15.1.0/24 - CHILD_SA gets installed.

The converse is not true

Nov 30 21:50:32 iulm03 charon: 11[ENC] <con1000|1> parsed CREATE_CHILD_SA request 41 [ SA No TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov 30 21:50:32 iulm03 charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 30 21:50:32 iulm03 charon: 11[IKE] <con1000|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 30 21:50:32 iulm03 charon: 11[CFG] <con1000|1> looking for a child config for 172.16.199.10/32|/0[tcp/http] 172.16.199.0/24|/0 === 10.15.1.18/32|/0[tcp/51541] 10.15.1.0/24|/0
Nov 30 21:50:32 iulm03 charon: 11[IKE] traffic selectors 172.16.199.10/32|/0[tcp/http] 172.16.199.0/24|/0 === 10.15.1.18/32|/0[tcp/51541] 10.15.1.0/24|/0 inacceptable
Nov 30 21:50:32 iulm03 charon: 11[IKE] <con1000|1> traffic selectors 172.16.199.10/32|/0[tcp/http] 172.16.199.0/24|/0 === 10.15.1.18/32|/0[tcp/51541] 10.15.1.0/24|/0 inacceptable
Nov 30 21:50:32 iulm03 charon: 11[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 30 21:50:32 iulm03 charon: 11[IKE] <con1000|1> failed to establish CHILD_SA, keeping IKE_SA
Nov 30 21:50:32 iulm03 charon: 11[ENC] <con1000|1> generating CREATE_CHILD_SA response 41 [ N(TS_UNACCEPT) ]
Nov 30 21:50:32 iulm03 charon: 11[NET] <con1000|1> sending packet: from 130.186.11.70[500] to 193.206.116.206[500] (76 bytes)


the relevant configuration 



conn con1003
        fragmentation = yes
        keyexchange = ikev2
        reauth = yes
        forceencaps = no
        mobike = no
        
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = none
        auto = route
        left = a.b.c.d
        right = x.y.z.w
        leftid = a.b.c.d
        ikelifetime = 86400s
        lifetime = 3600s
        ike = aes256-sha1-modp1024!
        esp = 3des-sha1,3des-sha1,3des-sha1,3des-sha1,3des-sha1,3des-sha1!
        leftauth = psk
        rightauth = psk
        rightid = x.y.z.w
        rightsubnet = 10.15.1.0/24
        leftsubnet = 172.16.199.0/24


Thank you for your attention.
Enrico.

More information about the Users mailing list