[strongSwan] no matching CHILD_SA config

Kostya Vasilyev kman at fastmail.com
Mon Jan 21 15:53:51 CET 2019 

Answering my own question, I think...

Since the tunnel is for GRE, I was missing these in StrongSwan connection config:

    type=transport
    leftprotoport=47/0
    rightprotoport=47/0

With these added, my IPSEC / GRE tunnel is now up and running again.

Complete config section:

conn mytunnel
    right=89.0.0.1
    left=139.0.0.1
    authby=secret
  compress=no
  type=transport
    leftprotoport=47/0
    rightprotoport=47/0
  auto=start

-- 
Kostya Vasilyev
kman at fastmail.com

On Mon, Jan 21, 2019, at 4:38 PM, Kostya Vasilyev wrote:
> Hello,
> 
> I'm trying to switch from Racoon to StrongSwan for an IPSEC GRE server on Linux.
> 
> The client is a Mikrotik router with a static (fixed) IP address.
> 
> The connection errors out like this on the StrongSwan side. I've enabled 
> debug logging for cfg.
> 
> charon[18267]: 13[IKE] IKE_SA mytunnel[2] established between 
> 139.0.0.1[139.0.0.1]...89.0.0.1[89.0.0.1]
> charon[18267]: 13[IKE] IKE_SA mytunnel[2] established between 
> 139.0.0.1[139.0.0.1]...89.0.0.1[89.0.0.1]
> 
> ( so far so good, right? )
> ...
> 
> charon[18147]: 05[NET] received packet: from 89.0.0.1[4500] to 
> 139.0.0.1[4500] (668 bytes)
> charon[18147]: 05[ENC] parsed QUICK_MODE request 3175828953 [ HASH SA No 
> KE ID ID NAT-OA NAT-OA ]
> charon[18147]: 05[CFG] looking for a child config for 139.0.0.1/32[gre] 
> === 89.0.0.1/32[gre]
> charon[18147]: 05[CFG] proposing traffic selectors for us:
> charon[18147]: 05[CFG]  139.0.0.1/32
> charon[18147]: 05[CFG] proposing traffic selectors for other:
> charon[18147]: 05[CFG]  89.0.0.1/32
> charon[18147]: 05[CFG]   candidate "mytunnel" with prio 1+1
> charon[18147]: 05[CFG] found matching child config "mytunnel" with prio 
> 2
> charon[18147]: 05[CFG] selecting traffic selectors for other:
> charon[18147]: 05[CFG]  config: 89.0.0.1/32, received: 89.0.0.1/32[gre] 
> => match: 89.0.0.1/32[gre]
> charon[18147]: 05[CFG] selecting traffic selectors for us:
> charon[18147]: 05[CFG]  config: 139.0.0.1/32, received: 
> 139.0.0.1/32[gre] => match: 139.0.0.1/32[gre]
> charon[18147]: 05[IKE] no matching CHILD_SA config found for 
> 89.0.0.1/32[gre] === 139.0.0.1/32[gre]
> charon[18147]: 05[ENC] generating INFORMATIONAL_V1 request 3282603997 
> [ HASH N(INVAL_ID) ]
> 
> ( the "no matching CHILD_SA" error )
> 
> The server (Linux) is 139.0.0.1, the client (Mikrotik) is 89.0.0.1.
> 
> I found the following email message about same error, but there it was a 
> typo (192.168. vs. 192.186.) in config files.
> 
> https://lists.strongswan.org/pipermail/users/2014-May/006155.html
> 
> Not the case for me, I've checked and rechecked my configs for typos already.
> 
> My ipsec.config:
> 
> conn mytunnel
>     right=89.0.0.1
>     left=139.0.0.1
>     authby=secret
>     # use auto=start when done testing the tunnel
>     auto=start
> 
> And ipsec.secrets:
> 
> 89.0.0.1 139.0.0.1 : PSK "..."
> 
> The server's interfaces:
> 
> 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state 
> UP group default qlen 1000
>     inet 139.0.0.1/24 brd 139..... scope global eth0
> 
> 
> 14: tun1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1426 qdisc noqueue 
> state UNKNOWN group default qlen 1000
>     link/gre 139.0.0.1 peer 89.0.0.1
>     inet 10.0.0.1 peer 10.0.0.2/32 scope global tun1
>        valid_lft forever preferred_lft forever
> 
> The tun1 is created at boot time using a script, Racoon needed this, not 
> sure if StrongSwan does.
> 
> ip link add tun1 type gre local 139.0.0.1 remote 89.0.0.1 ttl 255
> ip link set tun1 mtu 1426
> ip link set tun1 up
> ip addr add 10.0.0.1/24 peer 10.0.0.2 dev tun1
> 
> I also have rules for NAT over the GRE connection but right now with 
> StrongSwan can't get that far.
> 
> iptables -A FORWARD -i eth0 -d 10.0.0.0/24 -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -s 10.0.0.0/24 -o eth0 -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
> 
> For comparison here is my working Racoon config:
> 
> remote 89.0.0.1 {
>         exchange_mode main;
>         initial_contact on;
> 
>         dpd_delay 20;
>         dpd_retry 2;
>         dpd_maxfail 2;
>         rekey on;
>         verify_identifier off;
>         my_identifier address 139.0.0.1;
>         peers_identifier address 89.0.0.1;
>         lifetime time 24 hours;
>         proposal {
>            encryption_algorithm aes;
>            hash_algorithm sha1;
>            authentication_method pre_shared_key;
>            dh_group modp1024;
>       }
> }
> 
> Any idea why StrongSwan ends up with "no matching CHILD_SA config" error?
> 
> Also about NAT - with Racoon I had it configured "externally" to Racoon, 
> in scripts that run at system boot. Does StrongSwan operate differently 
> (Does it expect NAT configuration to be set up the same way, externally, 
> or can it do that for me? If so, where can I find an example please?)
> 
> -- 
> Kostya Vasilyev
> kman at fastmail.com

More information about the Users mailing list