[strongSwan] parsed CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ], received TS_UNACCEPTABLE notify, no CHILD_SA built
Sujoy
sujoy.b at mindlogicx.com
Wed Feb 21 15:58:55 CET 2018
Thanks Jafar, for giving this information. Please let me know if
anything else is required. The client OS is Openwrt, so no logs are
available.
*Server Config*
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
right=%any
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXXXXXX"
[host at VPNTEST ~]# firewall-cmd --list-all
FirewallD is not running
[host at VPNTEST ~]# sestatus
SELinux status: disabled
[host at VPNTEST ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
*Client config and status*
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
#right=192.168.10.40
right=182.156.253.59
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXXXXXX"
root at Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
uptime: 22 minutes, since Feb 21 14:31:43 2018
malloc: sbrk 196608, mmap 0, used 157560, free 39048
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key authentication
tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 22 minutes ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r,
pre-shared key reauthentication in 2 hours
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote:
> Sujoy,
>
> It is really hard to help you if don't give us full information
> only sending us one picture at a time. Please use test files, they are
> easier to navigate than screen shots. Your last question below is a
> repeat to a question that I answered before. If you want proper
> diagnose of the problem please send the configuration files,logs,
> routing table at both ends. see 8 at:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> Make sure to increase the debug level in your ipsec.conf files at both
> ends, something like:
>
> config setup
> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
> knl 3"
>
>
> Regards,
> Jafar
>
>
> On 2/20/2018 8:00 AM, Sujoy wrote:
>> Hi Jafar,
>>
>> I am able to establish tunnel when I try to connect from LAN IP. But
>> with same configuration(Firewall setting) and same OS version it
>> failed to establish tunnel with *nated public IP*.
>>
>> What means parsed "failed to establish CHILD_SA, keeping IKE_SA".
>> Please let me know if you have any idea regarding this issue.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180221/220e0f25/attachment.html>
More information about the Users
mailing list