[strongSwan] Help Site-to-Site configuration error installing route with policy

Olivier CALVANO o.calvano at gmail.com
Thu Sep 7 09:15:35 CEST 2017 

Hi

i have a problems on a new Site-to-Site configuration of Strongswan :


ipsec.conf:

config setup
        charondebug="knl 2, cfg 2"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev1
        mobike=no

conn Galioppee
        left=192.168.1.254
        leftsubnet=192.168.62.0/24
        leftfirewall=no
        leftid=192.168.1.254
        leftauth=psk

        right=172.16.1.254
        rightsubnet=192.168.163.0/24
        rightid=172.16.1.254
        rightauth=psk

        type=tunnel
        auto=start
        ikelifetime=28800
        keylife=900
        aggressive=no
        ike=aes256-sha1-modp1536!
        esp=aes256-sha1-modp1536!



i have change "auto=start" to "add" or "route" but same problems.
server:

ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.254.11  netmask 255.255.255.0  broadcast
192.168.1.255

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.22.233  netmask 255.255.255.248  broadcast 172.20.22.239

ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1400
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen
500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         192.168.1.1.1    0.0.0.0         UG    100    0        0
eth1
172.20.22.232   0.0.0.0         255.255.255.248 U     100    0        0 eth2
192.168.62.0    172.20.22.238   255.255.255.0   UG    0      0        0 eth2
192.168.62.0    172.20.22.238   255.255.254.0   UG    0      0        0 eth2




in logs i have:
Sep  6 17:34:43 irys01 charon: 12[ENC] parsed QUICK_MODE request 2463978021
[ HASH SA No KE ID ID ]
Sep  6 17:34:43 irys01 charon: 12[CFG] looking for a child config for
192.168.62.0/24 === 192.168.163.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for us:
Sep  6 17:34:43 irys01 charon: 12[CFG]  192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for
other:
Sep  6 17:34:43 irys01 charon: 12[CFG]  192.168.163.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG]   candidate "Galioppee" with prio 5+5
Sep  6 17:34:43 irys01 charon: 12[CFG] found matching child config
"Galioppee" with prio 10
Sep  6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for
other:
Sep  6 17:34:43 irys01 charon: 12[CFG]  config: 192.168.163.0/24, received:
192.168.163.0/24 => match: 192.168.163.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for us:
Sep  6 17:34:43 irys01 charon: 12[CFG]  config: 192.168.62.0/24, received:
192.168.62.0/24 => match: 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 12[CFG] selecting proposal:
Sep  6 17:34:43 irys01 charon: 12[CFG]   proposal matches
Sep  6 17:34:43 irys01 charon: 12[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep  6 17:34:43 irys01 charon: 12[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep  6 17:34:43 irys01 charon: 12[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep  6 17:34:43 irys01 charon: 12[IKE] received 4608000000 lifebytes,
configured 0
Sep  6 17:34:43 irys01 charon: 12[ENC] generating QUICK_MODE response
2463978021 [ HASH SA No KE ID ID ]
Sep  6 17:34:43 irys01 charon: 12[NET] sending packet: from
192.168.1.254[4500] to 172.16.1.254[4500] (396 bytes)
Sep  6 17:34:43 irys01 charon: 13[NET] received packet: from
172.16.1.254[4500] to 192.168.1.254[4500] (60 bytes)
Sep  6 17:34:43 irys01 charon: 13[ENC] parsed QUICK_MODE request 2463978021
[ HASH ]
Sep  6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] error installing route with policy
192.168.62.0/24 === 192.168.163.0/24 out
Sep  6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic
selector 192.168.62.0/24
Sep  6 17:34:43 irys01 charon: 13[KNL] error installing route with policy
192.168.62.0/24 === 192.168.163.0/24 out
Sep  6 17:34:43 irys01 charon: 13[IKE] unable to install IPsec policies
(SPD) in kernel
Sep  6 17:34:43 irys01 charon: 13[IKE] sending DELETE for ESP CHILD_SA with
SPI 16bcc04d
Sep  6 17:34:43 irys01 charon: 13[ENC] generating INFORMATIONAL_V1 request
4069478722 [ HASH D ]
Sep  6 17:34:43 irys01 charon: 13[NET] sending packet: from
192.168.1.254[4500] to 172.16.1.254[4500] (76 bytes)
Sep  6 17:36:12 irys01 charon: 15[NET] received packet: from
172.16.1.254[4500] to 192.168.1.254[4500] (76 bytes)
Sep  6 17:36:12 irys01 charon: 15[ENC] parsed INFORMATIONAL_V1 request
3827316135 [ HASH D ]
Sep  6 17:36:12 irys01 charon: 15[IKE] received DELETE for ESP CHILD_SA
with SPI 16bcc04d
Sep  6 17:36:12 irys01 charon: 15[IKE] CHILD_SA not found, ignored


Anyone know my errors ?
thanks
olivier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170907/4555bb0d/attachment-0001.html>

More information about the Users mailing list