[strongSwan] Routing between two remote sites
VTwin Farriers
vtwin at cox.net
Tue Jan 25 16:18:04 CET 2022
sorry, that should be removing 10.128.0.0/16 not /24.
Also a cut and paste error on the east file into my browser email window, my remote_ts=10.64.0.0/16,10.128.0.0/16 not /64
> On January 25, 2022 at 10:07 AM VTwin Farriers <vtwin at cox.net> wrote:
>
>
> Thank you all for your responses.
>
> I have the same local_ts/remote_ts values on my East and Central swanctl.conf files. I would think this should work but for some reason I get the TS_UNACCEPTABLE error. Removing "10.128.0.0/24" from the swanctl.conf files on east and central will then work.
>
>
> swanctl.conf (East)
>
> connections {
> eastcentral {
> version=2
> local_addrs=a.b.c.d
> proposals=aes256-sha1-modp1024, default
> local-0 {
> auth = psk
> }
> remote-0 {
> auth = psk
> }
> remote_addrs=w.x.y.z
> children {
> eastcentral {
> esp_proposals=aes256-sha1, default
> dpd_action=restart
> remote_ts=10.64.0.0/16,10.128.0.0/64
> local_ts=10.0.0.0/16
> }
> }
> }
> }
>
>
> swanctl.conf (Central):
>
> connections {
> centraleast {
> version=2
> local_addrs=w.x.y.z
> proposals=aes256-sha1-modp1024, default
> local-0 {
> auth = psk
> }
> remote-0 {
> auth = psk
> }
> remote_addrs=a.b.c.d
> children {
> centraleast {
> esp_proposals=aes256-sha1, default
> dpd_action=restart
> remote_ts=10.0.0.0/16
> local_ts=10.64.0.0/16,10.128.0.0/16
> }
> }
> }
> }
>
>
>
> [root at EastRouter swanctl]# strongswan up eastcentral
> initiating IKE_SA eastcentral[1] to w.x.y.z
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from a.b.c.d[500] to w.x.y.z[500] (1204 bytes)
> received packet: from w.x.y.z[500] to a.b.c.d[500] (344 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> remote host is behind NAT
> no IDi configured, fall back on IP address
> authentication of 'a.b.c.d' (myself) with pre-shared key
> establishing CHILD_SA eastcentral{1}
> generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from a.b.c.d[4500] to w.x.y.z[4500] (668 bytes)
> received packet: from w.x.y.z[4500] to a.b.c.d[4500] (220 bytes)
> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
> authentication of 'w.x.y.z' with pre-shared key successful
> IKE_SA eastcentral[1] established between a.b.c.d[a.b.c.d]...w.x.y.z[w.x.y.z]
> scheduling rekeying in 13393s
> maximum IKE_SA lifetime 14833s
> received TS_UNACCEPTABLE notify, no CHILD_SA built
> failed to establish CHILD_SA, keeping IKE_SA
> peer supports MOBIKE
> establishing connection 'eastcentral' failed
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220125/450e4cf4/attachment-0001.html>
More information about the Users
mailing list