[strongSwan] no matching CHILD_SA config

IL Ka kazakevichilya at gmail.com
Tue Jan 22 00:27:21 CET 2019


Hello,

IPSec has several associations.
First one is master (IKE_SA) and it is estableshed in your case.
Then, it should create child (CHILD_SA)
https://security.stackexchange.com/questions/86130/difference-between-ipsec-sa-and-child-sa?answertab=votes#tab-top

This step failed because sides did not come to agreement on proposals
(algorithms or network config).

You may use "ipsec start --nofork --debug-all" to debug it.

>NAT

StrongSwan does not do NAT. It does not do "routing" either.
Linux kernel does it. But it kernel uses policies to route traffic (see
xfrm, ip-xfrm(8)).
StrongSwan uses this kernel API to configure this policies.



On Mon, Jan 21, 2019 at 4:38 PM Kostya Vasilyev <kman at fastmail.com> wrote:

> Hello,
>
> I'm trying to switch from Racoon to StrongSwan for an IPSEC GRE server on
> Linux.
>
> The client is a Mikrotik router with a static (fixed) IP address.
>
> The connection errors out like this on the StrongSwan side. I've enabled
> debug logging for cfg.
>
> charon[18267]: 13[IKE] IKE_SA mytunnel[2] established between
> 139.0.0.1[139.0.0.1]...89.0.0.1[89.0.0.1]
> charon[18267]: 13[IKE] IKE_SA mytunnel[2] established between
> 139.0.0.1[139.0.0.1]...89.0.0.1[89.0.0.1]
>
> ( so far so good, right? )
> ...
>
> charon[18147]: 05[NET] received packet: from 89.0.0.1[4500] to
> 139.0.0.1[4500] (668 bytes)
> charon[18147]: 05[ENC] parsed QUICK_MODE request 3175828953 [ HASH SA No
> KE ID ID NAT-OA NAT-OA ]
> charon[18147]: 05[CFG] looking for a child config for 139.0.0.1/32[gre]
> <http://139.0.0.1/32%5Bgre%5D> === 89.0.0.1/32[gre]
> charon[18147 <http://89.0.0.1/32%5Bgre%5Dcharon%5B18147>]: 05[CFG]
> proposing traffic selectors for us:
> charon[18147]: 05[CFG]  139.0.0.1/32
> charon[18147]: 05[CFG] proposing traffic selectors for other:
> charon[18147]: 05[CFG]  89.0.0.1/32
> charon[18147]: 05[CFG]   candidate "mytunnel" with prio 1+1
> charon[18147]: 05[CFG] found matching child config "mytunnel" with prio 2
> charon[18147]: 05[CFG] selecting traffic selectors for other:
> charon[18147]: 05[CFG]  config: 89.0.0.1/32, received: 89.0.0.1/32[gre]
> <http://89.0.0.1/32%5Bgre%5D> => match: 89.0.0.1/32[gre]
> charon[18147 <http://89.0.0.1/32%5Bgre%5Dcharon%5B18147>]: 05[CFG]
> selecting traffic selectors for us:
> charon[18147]: 05[CFG]  config: 139.0.0.1/32, received: 139.0.0.1/32[gre]
> <http://139.0.0.1/32%5Bgre%5D> => match: 139.0.0.1/32[gre]
> charon[18147 <http://139.0.0.1/32%5Bgre%5Dcharon%5B18147>]: 05[IKE] no
> matching CHILD_SA config found for 89.0.0.1/32[gre]
> <http://89.0.0.1/32%5Bgre%5D> === 139.0.0.1/32[gre]
> charon[18147 <http://139.0.0.1/32%5Bgre%5Dcharon%5B18147>]: 05[ENC]
> generating INFORMATIONAL_V1 request 3282603997 [ HASH N(INVAL_ID) ]
>
> ( the "no matching CHILD_SA" error )
>
> The server (Linux) is 139.0.0.1, the client (Mikrotik) is 89.0.0.1.
>
> I found the following email message about same error, but there it was a
> typo (192.168. vs. 192.186.) in config files.
>
> https://lists.strongswan.org/pipermail/users/2014-May/006155.html
>
> Not the case for me, I've checked and rechecked my configs for typos
> already.
>
> My ipsec.config:
>
> conn mytunnel
>     right=89.0.0.1
>     left=139.0.0.1
>     authby=secret
>     # use auto=start when done testing the tunnel
>     auto=start
>
> And ipsec.secrets:
>
> 89.0.0.1 139.0.0.1 : PSK "..."
>
> The server's interfaces:
>
> 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
> UP group default qlen 1000
>     inet 139.0.0.1/24 brd 139..... scope global eth0
>
>
> 14: tun1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1426 qdisc noqueue
> state UNKNOWN group default qlen 1000
>     link/gre 139.0.0.1 peer 89.0.0.1
>     inet 10.0.0.1 peer 10.0.0.2/32 scope global tun1
>        valid_lft forever preferred_lft forever
>
> The tun1 is created at boot time using a script, Racoon needed this, not
> sure if StrongSwan does.
>
> ip link add tun1 type gre local 139.0.0.1 remote 89.0.0.1 ttl 255
> ip link set tun1 mtu 1426
> ip link set tun1 up
> ip addr add 10.0.0.1/24 peer 10.0.0.2 dev tun1
>
> I also have rules for NAT over the GRE connection but right now with
> StrongSwan can't get that far.
>
> iptables -A FORWARD -i eth0 -d 10.0.0.0/24 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -s 10.0.0.0/24 -o eth0 -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
>
> For comparison here is my working Racoon config:
>
> remote 89.0.0.1 {
>         exchange_mode main;
>         initial_contact on;
>
>         dpd_delay 20;
>         dpd_retry 2;
>         dpd_maxfail 2;
>         rekey on;
>         verify_identifier off;
>         my_identifier address 139.0.0.1;
>         peers_identifier address 89.0.0.1;
>         lifetime time 24 hours;
>         proposal {
>            encryption_algorithm aes;
>            hash_algorithm sha1;
>            authentication_method pre_shared_key;
>            dh_group modp1024;
>       }
> }
>
> Any idea why StrongSwan ends up with "no matching CHILD_SA config" error?
>
> Also about NAT - with Racoon I had it configured "externally" to Racoon,
> in scripts that run at system boot. Does StrongSwan operate differently
> (Does it expect NAT configuration to be set up the same way, externally, or
> can it do that for me? If so, where can I find an example please?)
>
> --
> Kostya Vasilyev
> kman at fastmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190122/393794d4/attachment-0001.html>


More information about the Users mailing list