[strongSwan] What causes: changing proposed traffic selectors for us?

Andreas Thiele Andreas.Thiele at base-engineering.com
Wed Jan 16 14:40:21 CET 2019 

Hi All,

I cannot make my site-to-site VPN work again. I believe everything is configured fine. Communication is between Debian 8 and Sophos UTM 9.
Seems CHILD_SA cannot be resolved although correctly defined. Anywhere in between the (see ### marks) I find the message

changing proposed traffic selectors for us:
0.0.0.0/0

What is wrong here. This connection already was working but I can't make it working again.


Any help or hint appreciated.

Andreas


# ipsec.conf - strongSwan IPsec configuration file

config setup
        charondebug="ike 2, cfg 2, chd 2"

conn %default
        keyingtries=1
        keyexchange=ikev1
#       compress=yes
        compress=no
        esp="aes128-md5"
        ike="aes256-sha1-modp1024"
        ikelifetime=86400
        keylife=3600
        authby=psk
        rekeymargin=540

conn base
        left=82.165.146.193
        leftsubnet=10.242.5.0/24
        leftfirewall=yes
        right=176.94.48.18
        rightid=176.94.48.18
        rightsubnet=10.242.4.0/24
        type=tunnel
        auto=add

include /var/lib/strongswan/ipsec.conf.inc

#/var/log/daemon.log
Jan 16 14:27:24 nx03 charon: 09[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (92 bytes)
Jan 16 14:27:24 nx03 charon: 09[ENC] parsed INFORMATIONAL_V1 request 1322595484 [ HASH N(DPD) ]
Jan 16 14:27:24 nx03 charon: 09[IKE] queueing ISAKMP_DPD task
Jan 16 14:27:24 nx03 charon: 09[IKE] activating new tasks
Jan 16 14:27:24 nx03 charon: 09[IKE]   activating ISAKMP_DPD task
Jan 16 14:27:24 nx03 charon: 09[ENC] generating INFORMATIONAL_V1 request 1687982473 [ HASH N(DPD_ACK) ]
Jan 16 14:27:24 nx03 charon: 09[NET] sending packet: from 82.165.146.193[500] to 176.94.48.18[500] (92 bytes)
Jan 16 14:27:24 nx03 charon: 09[IKE] activating new tasks
Jan 16 14:27:24 nx03 charon: 09[IKE] nothing to initiate
Jan 16 14:27:24 nx03 charon: 06[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (156 bytes)
Jan 16 14:27:24 nx03 charon: 06[ENC] parsed QUICK_MODE request 3759634152 [ HASH SA No ID ID ]
Jan 16 14:27:24 nx03 charon: 06[CFG] looking for a child config for 10.242.5.0/24 === 10.242.4.0/24
Jan 16 14:27:24 nx03 charon: 06[CFG] proposing traffic selectors for us:
Jan 16 14:27:24 nx03 charon: 06[CFG]  10.242.5.0/24
Jan 16 14:27:24 nx03 charon: 06[CFG] proposing traffic selectors for other:
Jan 16 14:27:24 nx03 charon: 06[CFG]  10.242.4.0/24
Jan 16 14:27:24 nx03 charon: 06[CFG]   candidate "base" with prio 5+5
Jan 16 14:27:24 nx03 charon: 06[CFG] found matching child config "base" with prio 10
Jan 16 14:27:24 nx03 charon: 06[CFG] selecting traffic selectors for other:
Jan 16 14:27:24 nx03 charon: 06[CFG]  config: 10.242.4.0/24, received: 10.242.4.0/24 => match: 10.242.4.0/24
Jan 16 14:27:24 nx03 charon: 06[CFG] selecting traffic selectors for us:
Jan 16 14:27:24 nx03 charon: 06[CFG]  config: 10.242.5.0/24, received: 10.242.5.0/24 => match: 10.242.5.0/24
Jan 16 14:27:24 nx03 charon: 06[CFG] selecting proposal:
Jan 16 14:27:24 nx03 charon: 06[CFG]   proposal matches
Jan 16 14:27:24 nx03 charon: 06[CFG] received proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ
Jan 16 14:27:24 nx03 charon: 06[CFG] configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jan 16 14:27:24 nx03 charon: 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ

### who does this and why, or how to prevent?

Jan 16 14:27:24 nx03 charon: 06[CFG] changing proposed traffic selectors for us:
Jan 16 14:27:24 nx03 charon: 06[CFG]  0.0.0.0/0

###

Jan 16 14:27:24 nx03 charon: 06[ENC] generating QUICK_MODE response 3759634152 [ HASH SA No ID ID ]
Jan 16 14:27:24 nx03 charon: 06[NET] sending packet: from 82.165.146.193[500] to 176.94.48.18[500] (188 bytes)
Jan 16 14:27:24 nx03 charon: 05[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (76 bytes)
Jan 16 14:27:24 nx03 charon: 05[ENC] parsed INFORMATIONAL_V1 request 1334323553 [ HASH N(INVAL_ID) ]
Jan 16 14:27:24 nx03 charon: 05[IKE] received INVALID_ID_INFORMATION error notify
Jan 16 14:27:24 nx03 charon: 05[IKE] received INVALID_ID_INFORMATION error notify
Jan 16 14:27:35 nx03 charon: 11[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (156 bytes)
Jan 16 14:27:35 nx03 charon: 11[ENC] invalid HASH_V1 payload length, decryption failed?
Jan 16 14:27:35 nx03 charon: 11[ENC] could not decrypt payloads
Jan 16 14:27:35 nx03 charon: 11[IKE] message parsing failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190116/c22201a0/attachment.html>

More information about the Users mailing list