[strongSwan] Routing between two remote sites

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 27 06:56:18 CET 2022 

Hello,

Please provide me with the full debug information as shown on the HelpRequests[1] page on the wiki.
Additionally, what distribution is that on either side, what virtualization, and what kernel?

I suspect there are more problems lurking around the corner than just that.
This particular problem only occurs if you are trying to use kernel-libipsec, or XFRM is not working or doesn't have any of the requiored features compiled in.

> *error installing route with policy 10.128.0.0/16 === 10.0.0.0/16 out*

That particular error message implies it's kernel-libipsec, which you are not supposed to use on sites at all, but only on clients without a working or usable XFRM implementation (e.g. Android).

> *unable to install IPsec policies (SPD) in kernel*

This particular error message implies it's a problem with the IPsec backend used.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 27.01.22 um 02:57 schrieb VTwin Farriers:
> Still not feeling the love, unfortunately.
> 
> I never tried to connect from Central to East, I was always trying to go from East to Central.
> 
> When I try to go from Central to East, I get a slightly different error message when attempting to start the connection.
> 
> 
> swanctl.conf (East)
> 
> connections {
>   EastCentral {
>    version=2
>    local_addrs=WW.XX.YY.ZZ
>    proposals=aes256-sha1-modp1024, default
>    local-0 {
>     auth = psk
>    }
>    remote-0 {
>     auth = psk
>    }
>    remote_addrs=AA.BB.CC.DD
>    children {
>     EastCentral {
>      esp_proposals=aes256-sha1, default
>      dpd_action=restart
>      local_ts=10.0.0.0/16
>      remote_ts=10.64.0.0/16,10.128.0.0/16
>     }
>    }
>   }
> }
> 
> swanctl.conf (Central)
> 
> connections {
>   CentralEast {
>    version=2
>    local_addrs=AA.BB.CC.DD
>    proposals=aes256-sha1-modp1024, default
>    local-0 {
>     auth = psk
>    }
>    remote-0 {
>     auth = psk
>    }
>    remote_addrs=WW.XX.YY.ZZ
>    children {
>     CentralEast {
>      esp_proposals=aes256-sha1, default
>      dpd_action=restart
>      local_ts=10.64.0.0/16,10.128.0.0/16
>      remote_ts=10.0.0.0/16
>     }
>    }
>   }
> }
> 
> 
> --- If attempting to connect to Central from East:
> 
> 
> [root at EastRouter swanctl]# swanctl --load-conns
> loaded connection 'EastCentral'
> successfully loaded 1 connections, 0 unloaded
> 
> [root at EastRouter swanctl]# strongswan up EastRouter
> establishing CHILD_SA EastCentral{32}
> generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
> sending packet: from WW.XX.YY.ZZ[4500] to AA.BB.CC.DD[4500] (620 bytes)
> received packet: from AA.BB.CC.DD[4500] to WW.XX.YY.ZZ[4500] (76 bytes)
> *parsed CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]*
> *received TS_UNACCEPTABLE notify, no CHILD_SA built*
> failed to establish CHILD_SA, keeping IKE_SA
> establishing connection 'EastCentral' failed
> [root at EastRouter swanctl]#
> 
> 
> ------ If attempting to connect to East from Central:
> 
> [root at CentralRouter conf.d]# swanctl --load-conns
> loaded connection 'CentralEast'
> successfully loaded 1 connections, 0 unloaded
> 
> [root at CentralRouter conf.d]# strongswan up CentralEast
> establishing CHILD_SA CentralEast{88}
> generating CREATE_CHILD_SA request 0 [ SA No TSi TSr ]
> sending packet: from AA.BB.CC.DD[4500] to WW.XX.YY.ZZ[4500] (620 bytes)
> received packet: from WW.XX.YY.ZZ[4500] to AA.BB.CC.DD[4500] (476 bytes)
> parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
> *error installing route with policy 10.128.0.0/16 === 10.0.0.0/16 out*
> *unable to install IPsec policies (SPD) in kernel*
> failed to establish CHILD_SA, keeping IKE_SA
> sending DELETE for ESP CHILD_SA with SPI 255b9e78
> generating INFORMATIONAL request 1 [ D ]
> sending packet: from AA.BB.CC.DD[4500] to WW.XX.YY.ZZ[4500] (76 bytes)
> received packet: from WW.XX.YY.ZZ[4500] to AA.BB.CC.DD[4500] (76 bytes)
> parsed INFORMATIONAL response 1 [ D ]
> establishing connection 'CentralEast' failed
> [root at CentralRouter conf.d]#
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220127/3e8f70f4/attachment.sig>

More information about the Users mailing list