[strongSwan] Routing between two remote sites

Tue Jan 25 16:35:58 CET 2022

yes, that was a cut-and-paste error into my browser email window. I have the same local_ts=10.64.0.0/16,10.128.0.0/16 and remote_ts=10.64.0.0/16,10.128.0.0/16 in my respective files. unfortunately i'm working remotely over a slow internet connection with only browser-based email so cut and paste is flakey.

> On January 25, 2022 at 10:21 AM Michael Schwartzkopff <ms at sys4.de> wrote:
> 
> 
> On 25.01.22 16:07, VTwin Farriers wrote:
> > Thank you all for your responses.
> >
> > I have the same local_ts/remote_ts values on my East and Central swanctl.conf files. I would think this should work but for some reason I get the TS_UNACCEPTABLE error. Removing "10.128.0.0/24" from the swanctl.conf files on east and central will then work.
> >
> >
> > swanctl.conf (East)
> >
> > connections {
> > eastcentral {
> > version=2
> > local_addrs=a.b.c.d
> > proposals=aes256-sha1-modp1024, default
> > local-0 {
> > auth = psk
> > }
> > remote-0 {
> > auth = psk
> > }
> > remote_addrs=w.x.y.z
> > children {
> > eastcentral {
> > esp_proposals=aes256-sha1, default
> > dpd_action=restart
> > remote_ts=10.64.0.0/16,10.128.0.0/64
> > local_ts=10.0.0.0/16
> > }
> > }
> > }
> > }
> >
> >
> > swanctl.conf (Central):
> >
> > connections {
> > centraleast {
> > version=2
> > local_addrs=w.x.y.z
> > proposals=aes256-sha1-modp1024, default
> > local-0 {
> > auth = psk
> > }
> > remote-0 {
> > auth = psk
> > }
> > remote_addrs=a.b.c.d
> > children {
> > centraleast {
> > esp_proposals=aes256-sha1, default
> > dpd_action=restart
> > remote_ts=10.0.0.0/16
> > local_ts=10.64.0.0/16,10.128.0.0/16
> > }
> > }
> > }
> > }
> >
> >
> >
> > [root at EastRouter swanctl]# strongswan up eastcentral
> > initiating IKE_SA eastcentral[1] to w.x.y.z
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> > sending packet: from a.b.c.d[500] to w.x.y.z[500] (1204 bytes)
> > received packet: from w.x.y.z[500] to a.b.c.d[500] (344 bytes)
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
> > selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> > remote host is behind NAT
> > no IDi configured, fall back on IP address
> > authentication of 'a.b.c.d' (myself) with pre-shared key
> > establishing CHILD_SA eastcentral{1}
> > generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> > sending packet: from a.b.c.d[4500] to w.x.y.z[4500] (668 bytes)
> > received packet: from w.x.y.z[4500] to a.b.c.d[4500] (220 bytes)
> > parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
> > authentication of 'w.x.y.z' with pre-shared key successful
> > IKE_SA eastcentral[1] established between a.b.c.d[a.b.c.d]...w.x.y.z[w.x.y.z]
> > scheduling rekeying in 13393s
> > maximum IKE_SA lifetime 14833s
> > received TS_UNACCEPTABLE notify, no CHILD_SA built
> > failed to establish CHILD_SA, keeping IKE_SA
> > peer supports MOBIKE
> > establishing connection 'eastcentral' failed
> 
> 
> In the config on the east router your have:
> remote_ts=10.64.0.0/16,10.128.0.0/64
> 
> 
> On the central gateway you have:
> 
> local_ts=10.64.0.0/16,10.128.0.0/16
> 
> 
> 
> The subnets for 10.128.0.0 do not fit. Especially since /64 does not 
> make sense in a legacy IP network.
> 
> 
> Mit freundlichen Grüßen,
> 
> -- 
> 
> [*] sys4 AG
>   
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>   
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>