[strongSwan] Routing between two remote sites

Michael Schwartzkopff ms at sys4.de
Tue Jan 25 08:39:40 CET 2022


On 25.01.22 03:13, VTwin Farriers wrote:
> If I try to add 10.128.0.0/16 to the configuration for East <=> Central, I get:
>
> received TS_UNACCEPTABLE notify, no CHILD_SA built
> failed to establish CHILD_SA, keeping IKE_SA
>
> when I attempt to bring up the connection.
>
> This seems to be related to the fact there is no interface or route on Central which is on the 10.128.0.0 subnet, 10.128.0.0/16 traffic is passed to West via the West<=>Central ipsec link.
>
> swanctl.conf:
>
> connections {
> EastCentral {
> version=2
> local_addrs=a.b.c.d
> proposals=aes256-sha1-modp1024, default
> local-0 {
> auth = psk
> }
> remote-0 {
> auth = psk
> }
> remote_addrs=w.x.y.z
> children {
> EastCentral {
> esp_proposals=aes256-sha1, default
> dpd_action=restart
> local_ts=10.0.0.0/16
> remote_ts=10.64.0.0/16,10.128.0.0/16
>
> }
> }
> }
> }
> secrets {
> ike-w.x.y.za.b.c.d {
> secret = "SantizedForYourProtection"
> id-1=w.x.y.z
> id-0=a.b.c.d
> }
> }


do you have the 10.128.0.0/16 configured on the central gateway as a 
local_ts for the connection to east?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Users mailing list