[strongSwan] Routing between two remote sites

VTwin Farriers vtwin at cox.net
Thu Jan 27 02:57:01 CET 2022


Still not feeling the love, unfortunately.

I never tried to connect from Central to East, I was always trying to go from East to Central.

When I try to go from Central to East, I get a slightly different error message when attempting to start the connection.


swanctl.conf (East)

connections {
EastCentral {
version=2
local_addrs=WW.XX.YY.ZZ
proposals=aes256-sha1-modp1024, default
local-0 {
auth = psk
}
remote-0 {
auth = psk
}
remote_addrs=AA.BB.CC.DD
children {
EastCentral {
esp_proposals=aes256-sha1, default
dpd_action=restart
local_ts=10.0.0.0/16
remote_ts=10.64.0.0/16,10.128.0.0/16
}
}
}
}

swanctl.conf (Central)

connections {
CentralEast {
version=2
local_addrs=AA.BB.CC.DD
proposals=aes256-sha1-modp1024, default
local-0 {
auth = psk
}
remote-0 {
auth = psk
}
remote_addrs=WW.XX.YY.ZZ
children {
CentralEast {
esp_proposals=aes256-sha1, default
dpd_action=restart
local_ts=10.64.0.0/16,10.128.0.0/16
remote_ts=10.0.0.0/16
}
}
}
}


--- If attempting to connect to Central from East:


[root at EastRouter swanctl]# swanctl --load-conns
loaded connection 'EastCentral'
successfully loaded 1 connections, 0 unloaded

[root at EastRouter swanctl]# strongswan up EastRouter
establishing CHILD_SA EastCentral{32}
generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
sending packet: from WW.XX.YY.ZZ[4500] to AA.BB.CC.DD[4500] (620 bytes)
received packet: from AA.BB.CC.DD[4500] to WW.XX.YY.ZZ[4500] (76 bytes)
parsed CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'EastCentral' failed
[root at EastRouter swanctl]#


------ If attempting to connect to East from Central:

[root at CentralRouter conf.d]# swanctl --load-conns
loaded connection 'CentralEast'
successfully loaded 1 connections, 0 unloaded

[root at CentralRouter conf.d]# strongswan up CentralEast
establishing CHILD_SA CentralEast{88}
generating CREATE_CHILD_SA request 0 [ SA No TSi TSr ]
sending packet: from AA.BB.CC.DD[4500] to WW.XX.YY.ZZ[4500] (620 bytes)
received packet: from WW.XX.YY.ZZ[4500] to AA.BB.CC.DD[4500] (476 bytes)
parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
error installing route with policy 10.128.0.0/16 === 10.0.0.0/16 out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
sending DELETE for ESP CHILD_SA with SPI 255b9e78
generating INFORMATIONAL request 1 [ D ]
sending packet: from AA.BB.CC.DD[4500] to WW.XX.YY.ZZ[4500] (76 bytes)
received packet: from WW.XX.YY.ZZ[4500] to AA.BB.CC.DD[4500] (76 bytes)
parsed INFORMATIONAL response 1 [ D ]
establishing connection 'CentralEast' failed
[root at CentralRouter conf.d]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220126/eb679a5d/attachment-0001.html>


More information about the Users mailing list