[strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Sujoy
sujoy.b at mindlogicx.com
Fri Jan 19 15:35:50 CET 2018
Hi Noel and lists,
I am getting the following error while trying to connect from OpwnWRT,
the same server with other Linux clients are connected. There are no
logs available in the device. The device connected but failed to
establish *tunnel.*
it will be a big help for me, if anyone can help in solving this issue.
Thanks a lot once again for the support.
Server screen
Thanks
On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote:
> Hi,
>
> Check the logs of the remote side.
> It means the remote peer did not like the proposed traffic selector. It was probably outside of the network range that its own configuration allows, meaning narrowing failed.
>
> Kind regards
>
> Noel
>
>
> On 16.01.2018 07:25, Sujoy wrote:
>> Hi Noel,
>>
>> Same strongswan 5.3.3 configuration working in my VM(client) to desktop server. But not working from my OpenWRT to Global IP used nated Linux server. Can you help me to solve this.
>>
>> what means "received TS_UNACCEPTABLE notify, no CHILD_SA built"
>>
>> Server config file.
>>
>>
>>
>>
>> Thanks & Regards
>>
>> Sujoy
>>
>> On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:
>>> Hi,
>>>
>>> Only on the responder.
>>> If you use dpd and enforce UDP encapsulation, you do not need to open any ports on the initiator side.
>>> Refer to the UsableExamples wiki page[1] for example configurations that are usable in the real world.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
>>>
>>> On 28.12.2017 08:51, Sujoy wrote:
>>>> Hi All,
>>>>
>>>>
>>>> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first.
>>>>
>>>> Anyone can suggest any solution for this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180119/3223bf69/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnhmmiblllfkckdh.png
Type: image/png
Size: 220094 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180119/3223bf69/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ogcliekckkiaelnk.png
Type: image/png
Size: 191802 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180119/3223bf69/attachment-0004.png>
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=%any
right=%any
# rightid=%any
# rightsubnet=192.168.10.0/24
ike=aes256-sha1-modp2048!
#ike=aes256-sha2-256-modp1024!
esp=aes256!
#esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=%any
#leftsubnet=192.168.122.0/24
#right=172.25.1.23
#rightsubnet=172.25.0.0/16
right=192.168.10.38
rightsubnet=192.168.10.0/16
ike=aes256-sha1-modp2048!
esp=aes256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
#type=transport
type=tunnel
-------------- next part --------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
conn tunnel #
left=%any
right=192.168.10.38
rightsubnet=192.168.10.0/24
#rightid=moon
ike=aes256-sha1-modp2048!
esp=aes256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=start
keyexchange=ikev2
type=tunnel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Connected Linux client tunnel successed.png
Type: image/png
Size: 24260 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180119/3223bf69/attachment-0005.png>
More information about the Users
mailing list