[strongSwan] IKE SA, but no child SA

noel.kuntze+strongswan-users-ml at thermi.consulting noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jul 7 15:19:38 CEST 2022 

Hi,

Then of course because they're each behind NAT the one TS being dynamic, they will propose different, non intersecting ones for that one.

Kind regards
Noel

Am 7. Juli 2022 13:15:40 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>On 07.07.22 15:07, noel.kuntze+strongswan-users-ml at thermi.consulting wrote:
>> Hi Manfred,
>> 
>> If the peer is strongswqn: Initiate with --child x, not --ike x
>> 
>> Otherwise: client problem, it sends no TSi or TSr.
>> 
>> Kind regards
>> Noel
>
>
>Perhaps interesting to add: Both, carol and moon are behind NAT. moon is on AWS.
>
>
>> Am 7. Juli 2022 12:49:06 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>>> Hi,
>>> 
>>> I set up a RW connection according to
>>> https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case and
>>> 
>>> https://www.strongswan.org/testing/testresults/ikev2/rw-cert/
>>> 
>>> swanctl -L shows:
>>> root at moon:~# swanctl -L
>>> rw: IKEv1/2, no reauthentication, rekeying every 14400s
>>>   local:  %any
>>>   remote: %any
>>>   local public key authentication:
>>>     id: moon.example.org
>>>     certs: C=TEST, O=TEST, CN=moon.example.org
>>>   remote public key authentication:
>>>   rw: TUNNEL, rekeying every 3600s
>>>     local:  172.31.11.0/24
>>>     remote: dynamic
>>> 
>>> root at misch:~# swanctl -L
>>> home: IKEv1/2, no reauthentication, rekeying every 14400s
>>>   local:  %any
>>>   remote: xx.xx.xx.xx
>>>   local public key authentication:
>>>     id: carol.example.org
>>>     certs: C=TEST, O=TEST, CN=carol.example.org
>>>   remote public key authentication:
>>>     id: moon.example.org
>>>   home: TUNNEL, rekeying every 3600s
>>>     local:  dynamic
>>>     remote: 172.31.11.0/24
>>> 
>>> The tunnel comes up and an IKE SA is negotiated. But no ipsec SA is formed. Any idea?
>>> 
>>> root at moon:~# swanctl --log
>>> 16[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (80 bytes)
>>> 16[ENC] parsed INFORMATIONAL request 2 [ D ]
>>> 16[IKE] received DELETE for IKE_SA rw[15]
>>> 16[IKE] deleting IKE_SA rw[15] between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>> 16[IKE] IKE_SA deleted
>>> 16[ENC] generating INFORMATIONAL response 2 [ ]
>>> 16[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (80 bytes)
>>> 06[NET] received packet: from 109.43.49.131[4798] to 172.31.11.131[500] (904 bytes)
>>> 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>> 06[IKE] 109.43.49.131 is initiating an IKE_SA
>>> 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
>>> 06[IKE] local host is behind NAT, sending keep alives
>>> 06[IKE] remote host is behind NAT
>>> 06[IKE] sending cert request for "C=TEST, O=TEST, CN=TEST CA"
>>> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
>>> 06[NET] sending packet: from 172.31.11.131[500] to 109.43.49.131[4798] (273 bytes)
>>> 07[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (624 bytes)
>>> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>>> 07[IKE] received cert request for "C=TEST, O=TEST, CN=TEST CA"
>>> 07[IKE] received end entity cert "C=TEST, O=TEST, CN=carol.example.org"
>>> 07[CFG] looking for peer configs matching 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>> 07[CFG] selected peer config 'rw'
>>> 07[CFG]   using certificate "C=TEST, O=TEST, CN=carol.example.org"
>>> 07[CFG]   using trusted ca certificate "C=TEST, O=TEST, CN=TEST CA"
>>> 07[CFG] checking certificate status of "C=TEST, O=TEST, CN=carol.example.org"
>>> 07[CFG] certificate status is not available
>>> 07[CFG]   reached self-signed root ca with a path length of 0
>>> 07[IKE] authentication of 'ccarol.example.org' with ED25519 successful
>>> 07[IKE] peer supports MOBIKE
>>> 07[IKE] authentication of 'moon.example.org' (myself) with ED25519 successful
>>> 07[IKE] IKE_SA rw[16] established between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>> 07[IKE] scheduling rekeying in 13852s
>>> 07[IKE] maximum IKE_SA lifetime 15292s
>>> 07[IKE] sending end entity cert "C=TEST, O=TEST, CN=moon.example.org"
>>> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
>>> 07[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (544 bytes)
>>> 
>>> The connection list is:
>>> root at moon:~# swanctl -l
>>> rw: #16, ESTABLISHED, IKEv2, 15aaec072bc0be30_i 3fb1301da911d929_r*
>>>   local  'moon.example.org' @ 172.31.11.131[4500]
>>>   remote 'carol.example.org' @ 109.43.49.131[21329]
>>>   AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
>>>   established 516s ago, rekeying in 13336s
>>> 
>>> But no child section / ipsec sa. Any ideas what is wrong here?
>>> 
>>> 
>>> Mit freundlichen Grüßen,
>>> 
>>> -- 
>>> 
>>> [*] sys4 AG
>>> 
>>> https://sys4.de, +49 (89) 30 90 46 64
>>> Schleißheimer Straße 26/MG,80333 München
>>> 
>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>>> Aufsichtsratsvorsitzender: Florian Kirstein
>> Sent from mobile
>
>
>Mit freundlichen Grüßen,
>
>-- 
>
>[*] sys4 AG
> https://sys4.de, +49 (89) 30 90 46 64
>Schleißheimer Straße 26/MG,80333 München
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>Aufsichtsratsvorsitzender: Florian Kirstein
>

Sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220707/e2c132fe/attachment.html>

More information about the Users mailing list