[strongSwan] no matching CHILD_SA config
Kostya Vasilyev
kman at fastmail.com
Mon Jan 21 14:38:47 CET 2019
Hello,
I'm trying to switch from Racoon to StrongSwan for an IPSEC GRE server on Linux.
The client is a Mikrotik router with a static (fixed) IP address.
The connection errors out like this on the StrongSwan side. I've enabled debug logging for cfg.
charon[18267]: 13[IKE] IKE_SA mytunnel[2] established between 139.0.0.1[139.0.0.1]...89.0.0.1[89.0.0.1]
charon[18267]: 13[IKE] IKE_SA mytunnel[2] established between 139.0.0.1[139.0.0.1]...89.0.0.1[89.0.0.1]
( so far so good, right? )
...
charon[18147]: 05[NET] received packet: from 89.0.0.1[4500] to 139.0.0.1[4500] (668 bytes)
charon[18147]: 05[ENC] parsed QUICK_MODE request 3175828953 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
charon[18147]: 05[CFG] looking for a child config for 139.0.0.1/32[gre] === 89.0.0.1/32[gre]
charon[18147]: 05[CFG] proposing traffic selectors for us:
charon[18147]: 05[CFG] 139.0.0.1/32
charon[18147]: 05[CFG] proposing traffic selectors for other:
charon[18147]: 05[CFG] 89.0.0.1/32
charon[18147]: 05[CFG] candidate "mytunnel" with prio 1+1
charon[18147]: 05[CFG] found matching child config "mytunnel" with prio 2
charon[18147]: 05[CFG] selecting traffic selectors for other:
charon[18147]: 05[CFG] config: 89.0.0.1/32, received: 89.0.0.1/32[gre] => match: 89.0.0.1/32[gre]
charon[18147]: 05[CFG] selecting traffic selectors for us:
charon[18147]: 05[CFG] config: 139.0.0.1/32, received: 139.0.0.1/32[gre] => match: 139.0.0.1/32[gre]
charon[18147]: 05[IKE] no matching CHILD_SA config found for 89.0.0.1/32[gre] === 139.0.0.1/32[gre]
charon[18147]: 05[ENC] generating INFORMATIONAL_V1 request 3282603997 [ HASH N(INVAL_ID) ]
( the "no matching CHILD_SA" error )
The server (Linux) is 139.0.0.1, the client (Mikrotik) is 89.0.0.1.
I found the following email message about same error, but there it was a typo (192.168. vs. 192.186.) in config files.
https://lists.strongswan.org/pipermail/users/2014-May/006155.html
Not the case for me, I've checked and rechecked my configs for typos already.
My ipsec.config:
conn mytunnel
right=89.0.0.1
left=139.0.0.1
authby=secret
# use auto=start when done testing the tunnel
auto=start
And ipsec.secrets:
89.0.0.1 139.0.0.1 : PSK "..."
The server's interfaces:
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 139.0.0.1/24 brd 139..... scope global eth0
14: tun1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1426 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 139.0.0.1 peer 89.0.0.1
inet 10.0.0.1 peer 10.0.0.2/32 scope global tun1
valid_lft forever preferred_lft forever
The tun1 is created at boot time using a script, Racoon needed this, not sure if StrongSwan does.
ip link add tun1 type gre local 139.0.0.1 remote 89.0.0.1 ttl 255
ip link set tun1 mtu 1426
ip link set tun1 up
ip addr add 10.0.0.1/24 peer 10.0.0.2 dev tun1
I also have rules for NAT over the GRE connection but right now with StrongSwan can't get that far.
iptables -A FORWARD -i eth0 -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
For comparison here is my working Racoon config:
remote 89.0.0.1 {
exchange_mode main;
initial_contact on;
dpd_delay 20;
dpd_retry 2;
dpd_maxfail 2;
rekey on;
verify_identifier off;
my_identifier address 139.0.0.1;
peers_identifier address 89.0.0.1;
lifetime time 24 hours;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
Any idea why StrongSwan ends up with "no matching CHILD_SA config" error?
Also about NAT - with Racoon I had it configured "externally" to Racoon, in scripts that run at system boot. Does StrongSwan operate differently (Does it expect NAT configuration to be set up the same way, externally, or can it do that for me? If so, where can I find an example please?)
--
Kostya Vasilyev
kman at fastmail.com
More information about the Users
mailing list