[strongSwan] Can't connect to VPN after upgrading from 5.7.2 to 5.8.2

Philipp Trulson philipp at trulson.de
Mon Apr 6 18:17:51 CEST 2020 

Hi Tobias,

thanks for the quick reply! I increased the log level for cfg to 4, but 
I still don't see a problem (aka "error") in the logs:

Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG] selecting proposal:
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG] proposal matches
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG] received 
proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG] configured 
proposals: 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG] selected 
proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG] selecting 
traffic selectors for us:
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG]  config: 
192.168.178.150/32, received: 172.17.100.29/32 => no match
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG] selecting 
traffic selectors for other:
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG]  config: 
0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[CFG]  config: ::/0, 
received: 0.0.0.0/0 => no match
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[IKE] no acceptable 
traffic selectors found
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[IKE] failed to 
establish CHILD_SA, keeping IKE_SA
Apr 06 18:07:49 linux.fritz.box charon-nm[2186]: 14[IKE] sending DELETE 
for ESP CHILD_SA with SPI c2344a0b

It's also a bit strange since the connection works fine with the 
Strongswan Android app that is also based on 5.8.2.

I tried to connect with default log level 2, too, but that resulted in 
4200 lines. In case you want to see it, should I upload it anywhere, 
attach it to the mail or just paste it in the text?

Best,
Philipp

Am 06.04.20 um 17:31 schrieb Tobias Brunner:
> Hi Philipp,
>
>> Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] no acceptable
>> traffic selectors found
>> Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] failed to
>> establish CHILD_SA, keeping IKE_SA
>>
>> However the "selected proposal:" line didn't change and I was unable to
>> find helpful results when googling these lines.
> Traffic selectors (i.e. subnets/protocols etc.) have nothing to do with
> the proposals (e.g. algorithms, mode etc.).  You get more messages if
> you increase the log level for cfg (see [1], set log levels in the
> charon-nm.syslog.daemon section).
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

More information about the Users mailing list