[strongSwan] Help Site-to-Site configuration error installing route with policy
Olivier CALVANO
o.calvano at gmail.com
Tue Sep 12 04:38:41 CEST 2017
Help !!!!!!
Le dim. 10 sept. 2017 à 07:49, Olivier CALVANO <o.calvano at gmail.com> a
écrit :
> Hi
>
> No help ??
>
> Thanks
>
> Le jeu. 7 sept. 2017 à 09:15, Olivier CALVANO <o.calvano at gmail.com> a
> écrit :
>
>> Hi
>>
>> i have a problems on a new Site-to-Site configuration of Strongswan :
>>
>>
>> ipsec.conf:
>>
>> config setup
>> charondebug="knl 2, cfg 2"
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=secret
>> keyexchange=ikev1
>> mobike=no
>>
>> conn Galioppee
>> left=192.168.1.254
>> leftsubnet=192.168.62.0/24
>> leftfirewall=no
>> leftid=192.168.1.254
>> leftauth=psk
>>
>> right=172.16.1.254
>> rightsubnet=192.168.163.0/24
>> rightid=172.16.1.254
>> rightauth=psk
>>
>> type=tunnel
>> auto=start
>> ikelifetime=28800
>> keylife=900
>> aggressive=no
>> ike=aes256-sha1-modp1536!
>> esp=aes256-sha1-modp1536!
>>
>>
>>
>> i have change "auto=start" to "add" or "route" but same problems.
>> server:
>>
>> ifconfig
>> eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 192.168.1.254.11 netmask 255.255.255.0 broadcast
>> 192.168.1.255
>>
>> eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 172.20.22.233 netmask 255.255.255.248 broadcast
>> 172.20.22.239
>>
>> ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
>> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> txqueuelen 500 (UNSPEC)
>> RX packets 0 bytes 0 (0.0 B)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 0 bytes 0 (0.0 B)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> route -n:
>>
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> 0.0.0.0 192.168.1.1.1 0.0.0.0 UG 100 0 0
>> eth1
>> 172.20.22.232 0.0.0.0 255.255.255.248 U 100 0 0
>> eth2
>> 192.168.62.0 172.20.22.238 255.255.255.0 UG 0 0 0
>> eth2
>> 192.168.62.0 172.20.22.238 255.255.254.0 UG 0 0 0
>> eth2
>>
>>
>>
>>
>> in logs i have:
>> Sep 6 17:34:43 irys01 charon: 12[ENC] parsed QUICK_MODE request
>> 2463978021 [ HASH SA No KE ID ID ]
>> Sep 6 17:34:43 irys01 charon: 12[CFG] looking for a child config for
>> 192.168.62.0/24 === 192.168.163.0/24
>> Sep 6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for us:
>> Sep 6 17:34:43 irys01 charon: 12[CFG] 192.168.62.0/24
>> Sep 6 17:34:43 irys01 charon: 12[CFG] proposing traffic selectors for
>> other:
>> Sep 6 17:34:43 irys01 charon: 12[CFG] 192.168.163.0/24
>> Sep 6 17:34:43 irys01 charon: 12[CFG] candidate "Galioppee" with prio
>> 5+5
>> Sep 6 17:34:43 irys01 charon: 12[CFG] found matching child config
>> "Galioppee" with prio 10
>> Sep 6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for
>> other:
>> Sep 6 17:34:43 irys01 charon: 12[CFG] config: 192.168.163.0/24,
>> received: 192.168.163.0/24 => match: 192.168.163.0/24
>> Sep 6 17:34:43 irys01 charon: 12[CFG] selecting traffic selectors for us:
>> Sep 6 17:34:43 irys01 charon: 12[CFG] config: 192.168.62.0/24,
>> received: 192.168.62.0/24 => match: 192.168.62.0/24
>> Sep 6 17:34:43 irys01 charon: 12[CFG] selecting proposal:
>> Sep 6 17:34:43 irys01 charon: 12[CFG] proposal matches
>> Sep 6 17:34:43 irys01 charon: 12[CFG] received proposals:
>> ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
>> Sep 6 17:34:43 irys01 charon: 12[CFG] configured proposals:
>> ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
>> Sep 6 17:34:43 irys01 charon: 12[CFG] selected proposal:
>> ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
>> Sep 6 17:34:43 irys01 charon: 12[IKE] received 4608000000 lifebytes,
>> configured 0
>> Sep 6 17:34:43 irys01 charon: 12[ENC] generating QUICK_MODE response
>> 2463978021 [ HASH SA No KE ID ID ]
>> Sep 6 17:34:43 irys01 charon: 12[NET] sending packet: from
>> 192.168.1.254[4500] to 172.16.1.254[4500] (396 bytes)
>> Sep 6 17:34:43 irys01 charon: 13[NET] received packet: from
>> 172.16.1.254[4500] to 192.168.1.254[4500] (60 bytes)
>> Sep 6 17:34:43 irys01 charon: 13[ENC] parsed QUICK_MODE request
>> 2463978021 [ HASH ]
>> Sep 6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic
>> selector 192.168.62.0/24
>> Sep 6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic
>> selector 192.168.62.0/24
>> Sep 6 17:34:43 irys01 charon: 13[KNL] error installing route with policy
>> 192.168.62.0/24 === 192.168.163.0/24 out
>> Sep 6 17:34:43 irys01 charon: 13[KNL] getting a local address in traffic
>> selector 192.168.62.0/24
>> Sep 6 17:34:43 irys01 charon: 13[KNL] no local address found in traffic
>> selector 192.168.62.0/24
>> Sep 6 17:34:43 irys01 charon: 13[KNL] error installing route with policy
>> 192.168.62.0/24 === 192.168.163.0/24 out
>> Sep 6 17:34:43 irys01 charon: 13[IKE] unable to install IPsec policies
>> (SPD) in kernel
>> Sep 6 17:34:43 irys01 charon: 13[IKE] sending DELETE for ESP CHILD_SA
>> with SPI 16bcc04d
>> Sep 6 17:34:43 irys01 charon: 13[ENC] generating INFORMATIONAL_V1
>> request 4069478722 [ HASH D ]
>> Sep 6 17:34:43 irys01 charon: 13[NET] sending packet: from
>> 192.168.1.254[4500] to 172.16.1.254[4500] (76 bytes)
>> Sep 6 17:36:12 irys01 charon: 15[NET] received packet: from
>> 172.16.1.254[4500] to 192.168.1.254[4500] (76 bytes)
>> Sep 6 17:36:12 irys01 charon: 15[ENC] parsed INFORMATIONAL_V1 request
>> 3827316135 [ HASH D ]
>> Sep 6 17:36:12 irys01 charon: 15[IKE] received DELETE for ESP CHILD_SA
>> with SPI 16bcc04d
>> Sep 6 17:36:12 irys01 charon: 15[IKE] CHILD_SA not found, ignored
>>
>>
>> Anyone know my errors ?
>> thanks
>> olivier
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170912/b5f01935/attachment-0001.html>
More information about the Users
mailing list