[strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

S M Tanjeen tanjeensarkar at gmail.com
Tue Aug 17 18:37:12 CEST 2021 

Hi,

I'm using strongSwan 5.6.3 on Openwrt for x86 architecture. Here i'm 
trying to achieve the hub-n-spoke setup [a network diagram has been 
attached] for connecting/routing multiple subnets behind more than two 
gateways.

I've tried numerous changes in ipsec.conf as suggested, but I'm stuck 
with 'received TS_UNACCEPTABLE notify, no CHILD_SA built' on the spoke 
side, Although both of the security associations are up.

Need a remedy Badly.


My configurations are as followings-

Hub
------
config setup
     strictcrlpolicy=no

conn %default
     ikelifetime=30m
     keylife=10m
     rekeymargin=3m
     keyingtries=1
     mobike=yes

conn spokeconn2
     left=3.3.3.3
     leftsubnet=0.0.0.0/0
     right=20.20.20.20
     rightsubnet=192.168.20.0/24
     ike=aes256-sha1-modp2048!
     esp=aes256-sha1-modp2048!
     authby=secret
     type=tunnel
     keyexchange=ikev2
     auto=route

conn spokeconn1
     left=3.3.3.3
     leftsubnet=0.0.0.0/0
     right=10.10.10.10
     rightsubnet=192.168.10.0/24
     ike=aes256-sha1-modp2048!
     esp=aes256-sha1-modp2048!
     authby=secret
     type=tunnel
     keyexchange=ikev2
     auto=route

Spoke1
--------------
config setup
     strictcrlpolicy=no

conn %default
     ikelifetime=30m
     keylife=10m
     rekeymargin=3m
     keyingtries=1
     mobike=yes

conn allmainconn
     left=10.10.10.10
     leftsubnet=192.168.10.0/24
     right=3.3.3.3
     rightsubnet=192.168.100.0/24,192.168.20.0/24
     ike=aes256-sha1-modp2048!
     esp=aes256-sha1-modp2048!
     authby=secret
     type=tunnel
     keyexchange=ikev2
     auto=route

Spoke2
---------------
config setup
     strictcrlpolicy=no
     charondebug="all"

conn %default
     ikelifetime=30m
     keylife=10m
     rekeymargin=3m
     keyingtries=1
     mobike=yes

conn allmainconn
     left=20.20.20.20
     leftsubnet=192.168.20.0/24
     right=3.3.3.3
     rightsubnet=192.168.100.0/24,192.168.10.0/24
     ike=aes256-sha1-modp2048!
     esp=aes256-sha1-modp2048!
     authby=secret
     type=tunnel
     keyexchange=ikev2
     auto=route

For Authentication I'm using PSK key.



Error Logs Recieved:
------------------------
Hub-

initiating IKE_SA spokeconn2[4] to 20.20.20.20
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 3.3.3.3[500] to 20.20.20.20[500] (464 bytes)
received packet: from 20.20.20.20[500] to 3.3.3.3[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
authentication of '3.3.3.3' (myself) with pre-shared key
establishing CHILD_SA spokeconn2{6}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (284 bytes)
received packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (268 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of '20.20.20.20' with pre-shared key successful
IKE_SA spokeconn2[4] established between 
3.3.3.3[3.3.3.3]...20.20.20.20[20.20.20.20]
scheduling reauthentication in 1505s
maximum IKE_SA lifetime 1685s
error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 1514s, scheduling reauthentication in 1334s
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI 85f68599
generating INFORMATIONAL request 2 [ D ]
sending packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (76 bytes)
received packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (76 bytes)
parsed INFORMATIONAL response 2 [ D ]
establishing connection 'spokeconn2' failed



Spoke1-

initiating IKE_SA allmainconn[1] to 3.3.3.3
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.10.10.10[500] to 3.3.3.3[500] (464 bytes)
received packet: from 3.3.3.3[500] to 10.10.10.10[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
authentication of '10.10.10.10' (myself) with pre-shared key
establishing CHILD_SA allmainconn{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) 
N(MSG_ID_SYN_SUP) ]
sending packet: from 10.10.10.10[4500] to 3.3.3.3[4500] (300 bytes)
received packet: from 3.3.3.3[4500] to 10.10.10.10[4500] (172 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
authentication of '3.3.3.3' with pre-shared key successful
IKE_SA allmainconn[1] established between 
10.10.10.10[10.10.10.10]...3.3.3.3[3.3.3.3]
scheduling reauthentication in 1524s
maximum IKE_SA lifetime 1704s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 1508s, scheduling reauthentication in 1328s
peer supports MOBIKE
establishing connection 'allmainconn' failed



Spoke2-

initiating IKE_SA allmainconn[1] to 3.3.3.3
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 20.20.20.20[500] to 3.3.3.3[500] (464 bytes)
received packet: from 3.3.3.3[500] to 20.20.20.20[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
authentication of '20.20.20.20' (myself) with pre-shared key
establishing CHILD_SA allmainconn{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) 
N(MSG_ID_SYN_SUP) ]
sending packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (300 bytes)
received packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (172 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
authentication of '3.3.3.3' with pre-shared key successful
IKE_SA allmainconn[1] established between 
20.20.20.20[20.20.20.20]...3.3.3.3[3.3.3.3]
scheduling reauthentication in 1478s
maximum IKE_SA lifetime 1658s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 1468s, scheduling reauthentication in 1288s
peer supports MOBIKE
establishing connection 'allmainconn' failed

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Hub-n-Spoke Setup.png
Type: image/png
Size: 33482 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210817/7b2cd0d0/attachment-0001.png>

More information about the Users mailing list