[strongSwan] IKE SA, but no child SA

Michael Schwartzkopff ms at sys4.de
Thu Jul 7 14:49:06 CEST 2022 

Hi,

I set up a RW connection according to
https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case 
and

https://www.strongswan.org/testing/testresults/ikev2/rw-cert/

swanctl -L shows:
root at moon:~# swanctl -L
rw: IKEv1/2, no reauthentication, rekeying every 14400s
   local:  %any
   remote: %any
   local public key authentication:
     id: moon.example.org
     certs: C=TEST, O=TEST, CN=moon.example.org
   remote public key authentication:
   rw: TUNNEL, rekeying every 3600s
     local:  172.31.11.0/24
     remote: dynamic

root at misch:~# swanctl -L
home: IKEv1/2, no reauthentication, rekeying every 14400s
   local:  %any
   remote: xx.xx.xx.xx
   local public key authentication:
     id: carol.example.org
     certs: C=TEST, O=TEST, CN=carol.example.org
   remote public key authentication:
     id: moon.example.org
   home: TUNNEL, rekeying every 3600s
     local:  dynamic
     remote: 172.31.11.0/24

The tunnel comes up and an IKE SA is negotiated. But no ipsec SA is 
formed. Any idea?

root at moon:~# swanctl --log
16[NET] received packet: from 109.43.49.131[21329] to 
172.31.11.131[4500] (80 bytes)
16[ENC] parsed INFORMATIONAL request 2 [ D ]
16[IKE] received DELETE for IKE_SA rw[15]
16[IKE] deleting IKE_SA rw[15] between 
172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
16[IKE] IKE_SA deleted
16[ENC] generating INFORMATIONAL response 2 [ ]
16[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] 
(80 bytes)
06[NET] received packet: from 109.43.49.131[4798] to 172.31.11.131[500] 
(904 bytes)
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
06[IKE] 109.43.49.131 is initiating an IKE_SA
06[CFG] selected proposal: 
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] sending cert request for "C=TEST, O=TEST, CN=TEST CA"
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
06[NET] sending packet: from 172.31.11.131[500] to 109.43.49.131[4798] 
(273 bytes)
07[NET] received packet: from 109.43.49.131[21329] to 
172.31.11.131[4500] (624 bytes)
07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr 
AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) 
N(MSG_ID_SYN_SUP) ]
07[IKE] received cert request for "C=TEST, O=TEST, CN=TEST CA"
07[IKE] received end entity cert "C=TEST, O=TEST, CN=carol.example.org"
07[CFG] looking for peer configs matching 
172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
07[CFG] selected peer config 'rw'
07[CFG]   using certificate "C=TEST, O=TEST, CN=carol.example.org"
07[CFG]   using trusted ca certificate "C=TEST, O=TEST, CN=TEST CA"
07[CFG] checking certificate status of "C=TEST, O=TEST, 
CN=carol.example.org"
07[CFG] certificate status is not available
07[CFG]   reached self-signed root ca with a path length of 0
07[IKE] authentication of 'ccarol.example.org' with ED25519 successful
07[IKE] peer supports MOBIKE
07[IKE] authentication of 'moon.example.org' (myself) with ED25519 
successful
07[IKE] IKE_SA rw[16] established between 
172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
07[IKE] scheduling rekeying in 13852s
07[IKE] maximum IKE_SA lifetime 15292s
07[IKE] sending end entity cert "C=TEST, O=TEST, CN=moon.example.org"
07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) 
N(NO_ADD_ADDR) ]
07[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] 
(544 bytes)

The connection list is:
root at moon:~# swanctl -l
rw: #16, ESTABLISHED, IKEv2, 15aaec072bc0be30_i 3fb1301da911d929_r*
   local  'moon.example.org' @ 172.31.11.131[4500]
   remote 'carol.example.org' @ 109.43.49.131[21329]
   AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
   established 516s ago, rekeying in 13336s

But no child section / ipsec sa. Any ideas what is wrong here?


Mit freundlichen Grüßen,

-- 

[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Users mailing list