[strongSwan] Tunneling failed with AES_CBC_256 algorithm

Tue Jan 30 11:09:42 CET 2018

Hi Noel/Team,

Need help to resolve the following issue in Tunneling. The connection is 
established but tunneling failed.

root at Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
   uptime: 5 hours, since Jan 30 12:40:15 2018
   malloc: sbrk 184320, mmap 0, used 161168, free 23152
   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 4
   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-libipsec 
kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 
xauth-generic
Listening IP addresses:
   192.168.20.100
   192.168.10.1
   fde6:8bab:cfa4::1
Connections:
       tunnel:  %any...192.168.10.38  IKEv2, dpddelay=30s
       tunnel:   local:  uses pre-shared key authentication
       tunnel:   remote: [192.168.10.38] uses pre-shared key authentication
       tunnel:   child:  dynamic === 192.168.10.0/24 TUNNEL, 
dpdaction=restart
Security Associations (1 up, 0 connecting):
       tunnel[3]: ESTABLISHED 48 seconds ago, 
192.168.10.1[192.168.10.1]...192.168.10.38[192.168.10.38]
       tunnel[3]: IKEv2 SPIs: 60459905871e3dee_i* 36a77bd6f87a1841_r, 
pre-shared key reauthentication in 38 minutes
       tunnel[3]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
root at Device_BD2009:~#

root at Device_BD2009:~# ipsec up tunnel
no files found matching '/etc/strongswan.d/*.conf'
establishing CHILD_SA tunnel
generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (188 bytes)
received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (188 bytes)
parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
failed to create ESP context: unsupported integrity algorithm UNDEFINED
failed to create SAD entry
failed to create ESP context: unsupported integrity algorithm UNDEFINED
failed to create SAD entry
unable to install inbound and outbound IPsec SA (SAD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
sending DELETE for ESP CHILD_SA with SPI c9c86396
generating INFORMATIONAL request 4 [ D ]
sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (76 bytes)
received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (76 bytes)
parsed INFORMATIONAL response 4 [ D ]
establishing connection 'tunnel' failed
root at Device_BD2009:~#

Thanks & Regards
Sujoy

On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote:
> Hi,
>
> Check the logs of the remote side.
> It means the remote peer did not like the proposed traffic selector. It was probably outside of the network range that its own configuration allows, meaning narrowing failed.
>
> Kind regards
>
> Noel
>
>
> On 16.01.2018 07:25, Sujoy wrote:
>> Hi Noel,
>>
>> Same strongswan 5.3.3 configuration working in my VM(client) to desktop server. But not working from my OpenWRT to Global IP used nated Linux server. Can you help me to solve this.
>>
>> what means "received TS_UNACCEPTABLE notify, no CHILD_SA built"
>>
>> Server config file.
>>
>>
>>
>>
>> Thanks & Regards
>>
>> Sujoy
>>
>> On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:
>>> Hi,
>>>
>>> Only on the responder.
>>> If you use dpd and enforce UDP encapsulation, you do not need to open any ports on the initiator side.
>>> Refer to the UsableExamples wiki page[1] for example configurations that are usable in the real world.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
>>>
>>> On 28.12.2017 08:51, Sujoy wrote:
>>>> Hi All,
>>>>
>>>>
>>>> We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first.
>>>>
>>>> Anyone can suggest any solution for this.