[strongSwan] IKE SA, but no child SA

noel.kuntze+strongswan-users-ml at thermi.consulting noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jul 7 15:33:04 CEST 2022


Hi Manfred,
Quick fix would be to put the private IP of carol as their local_ts (remote_ts on moon then of course).

Kind regards
Noel

Am 7. Juli 2022 13:31:51 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>Thanks. Do you have a Quick hint for me to fix the config?
>
>07.07.2022 15:19:54 noel.kuntze+strongswan-users-ml at thermi.consulting:
>
>> Hi,
>> 
>> Then of course because they're each behind NAT the one TS being dynamic, they will propose different, non intersecting ones for that one.
>> 
>> Kind regards
>> Noel
>> 
>> Am 7. Juli 2022 13:15:40 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>>> On 07.07.22 15:07, noel.kuntze+strongswan-users-ml at thermi.consulting wrote:
>>> 
>>>        
>>>        
>>>        
>>>> 
>>>>         
>>>>         
>>>>         Hi Manfred,
>>>>         
>>>>         
>>>>         
>>>> 
>>>>         
>>>>         
>>>>         
>>>> If the peer is strongswqn: Initiate with --child x, not --ike x
>>>>         
>>>>         
>>>>         
>>>> 
>>>>         
>>>>         
>>>>         
>>>> Otherwise: client problem, it sends no TSi or TSr.
>>>>         
>>>>         
>>>>         
>>>> 
>>>>         
>>>>         
>>>>         
>>>> Kind regards
>>>>         
>>>>         
>>>>         
>>>> Noel
>>>>         
>>>>         
>>>>         
>>>> 
>>>>        
>>>>        
>>>>        
>>> 
>>> 
>>> Perhaps interesting to add: Both, carol and moon are behind NAT. moon is on AWS.
>>> 
>>> 
>>> 
>>>        
>>>        
>>>        
>>>> 
>>>>         
>>>>         
>>>>         Am 7. Juli 2022 12:49:06 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>>>>         
>>>>         
>>>>         
>>>> 
>>>>         
>>>>         
>>>>         
>>>>> 
>>>>>          
>>>>>          
>>>>>          Hi,
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> I set up a RW connection according to
>>>>>          
>>>>>          
>>>>>          
>>>>> https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case and
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> https://www.strongswan.org/testing/testresults/ikev2/rw-cert/
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> swanctl -L shows:
>>>>>          
>>>>>          
>>>>>          
>>>>> root at moon:~# swanctl -L
>>>>>          
>>>>>          
>>>>>          
>>>>> rw: IKEv1/2, no reauthentication, rekeying every 14400s
>>>>>          
>>>>>          
>>>>>          
>>>>>   local:  %any
>>>>>          
>>>>>          
>>>>>          
>>>>>   remote: %any
>>>>>          
>>>>>          
>>>>>          
>>>>>   local public key authentication:
>>>>>          
>>>>>          
>>>>>          
>>>>>     id: moon.example.org
>>>>>          
>>>>>          
>>>>>          
>>>>>     certs: C=TEST, O=TEST, CN=moon.example.org
>>>>>          
>>>>>          
>>>>>          
>>>>>   remote public key authentication:
>>>>>          
>>>>>          
>>>>>          
>>>>>   rw: TUNNEL, rekeying every 3600s
>>>>>          
>>>>>          
>>>>>          
>>>>>     local:  172.31.11.0/24
>>>>>          
>>>>>          
>>>>>          
>>>>>     remote: dynamic
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> root at misch:~# swanctl -L
>>>>>          
>>>>>          
>>>>>          
>>>>> home: IKEv1/2, no reauthentication, rekeying every 14400s
>>>>>          
>>>>>          
>>>>>          
>>>>>   local:  %any
>>>>>          
>>>>>          
>>>>>          
>>>>>   remote: xx.xx.xx.xx
>>>>>          
>>>>>          
>>>>>          
>>>>>   local public key authentication:
>>>>>          
>>>>>          
>>>>>          
>>>>>     id: carol.example.org
>>>>>          
>>>>>          
>>>>>          
>>>>>     certs: C=TEST, O=TEST, CN=carol.example.org
>>>>>          
>>>>>          
>>>>>          
>>>>>   remote public key authentication:
>>>>>          
>>>>>          
>>>>>          
>>>>>     id: moon.example.org
>>>>>          
>>>>>          
>>>>>          
>>>>>   home: TUNNEL, rekeying every 3600s
>>>>>          
>>>>>          
>>>>>          
>>>>>     local:  dynamic
>>>>>          
>>>>>          
>>>>>          
>>>>>     remote: 172.31.11.0/24
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> The tunnel comes up and an IKE SA is negotiated. But no ipsec SA is formed. Any idea?
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> root at moon:~# swanctl --log
>>>>>          
>>>>>          
>>>>>          
>>>>> 16[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (80 bytes)
>>>>>          
>>>>>          
>>>>>          
>>>>> 16[ENC] parsed INFORMATIONAL request 2 [ D ]
>>>>>          
>>>>>          
>>>>>          
>>>>> 16[IKE] received DELETE for IKE_SA rw[15]
>>>>>          
>>>>>          
>>>>>          
>>>>> 16[IKE] deleting IKE_SA rw[15] between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>>>>          
>>>>>          
>>>>>          
>>>>> 16[IKE] IKE_SA deleted
>>>>>          
>>>>>          
>>>>>          
>>>>> 16[ENC] generating INFORMATIONAL response 2 [ ]
>>>>>          
>>>>>          
>>>>>          
>>>>> 16[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (80 bytes)
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[NET] received packet: from 109.43.49.131[4798] to 172.31.11.131[500] (904 bytes)
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[IKE] 109.43.49.131 is initiating an IKE_SA
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[IKE] local host is behind NAT, sending keep alives
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[IKE] remote host is behind NAT
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[IKE] sending cert request for "C=TEST, O=TEST, CN=TEST CA"
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
>>>>>          
>>>>>          
>>>>>          
>>>>> 06[NET] sending packet: from 172.31.11.131[500] to 109.43.49.131[4798] (273 bytes)
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (624 bytes)
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] received cert request for "C=TEST, O=TEST, CN=TEST CA"
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] received end entity cert "C=TEST, O=TEST, CN=carol.example.org"
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[CFG] looking for peer configs matching 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[CFG] selected peer config 'rw'
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[CFG]   using certificate "C=TEST, O=TEST, CN=carol.example.org"
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[CFG]   using trusted ca certificate "C=TEST, O=TEST, CN=TEST CA"
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[CFG] checking certificate status of "C=TEST, O=TEST, CN=carol.example.org"
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[CFG] certificate status is not available
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[CFG]   reached self-signed root ca with a path length of 0
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] authentication of 'ccarol.example.org' with ED25519 successful
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] peer supports MOBIKE
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] authentication of 'moon.example.org' (myself) with ED25519 successful
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] IKE_SA rw[16] established between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] scheduling rekeying in 13852s
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] maximum IKE_SA lifetime 15292s
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[IKE] sending end entity cert "C=TEST, O=TEST, CN=moon.example.org"
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
>>>>>          
>>>>>          
>>>>>          
>>>>> 07[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (544 bytes)
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> The connection list is:
>>>>>          
>>>>>          
>>>>>          
>>>>> root at moon:~# swanctl -l
>>>>>          
>>>>>          
>>>>>          
>>>>> rw: #16, ESTABLISHED, IKEv2, 15aaec072bc0be30_i 3fb1301da911d929_r*
>>>>>          
>>>>>          
>>>>>          
>>>>>   local  'moon.example.org' @ 172.31.11.131[4500]
>>>>>          
>>>>>          
>>>>>          
>>>>>   remote 'carol.example.org' @ 109.43.49.131[21329]
>>>>>          
>>>>>          
>>>>>          
>>>>>   AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
>>>>>          
>>>>>          
>>>>>          
>>>>>   established 516s ago, rekeying in 13336s
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> But no child section / ipsec sa. Any ideas what is wrong here?
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> Mit freundlichen Grüßen,
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>           
>>>>>           
>>>>>           -- 
>>>>>           
>>>>>           
>>>>>           
>>>>> 
>>>>>           
>>>>>           
>>>>>           
>>>>> [*] sys4 AG
>>>>>           
>>>>>           
>>>>>           
>>>>> 
>>>>>           
>>>>>           
>>>>>           
>>>>> https://sys4.de, +49 (89) 30 90 46 64
>>>>>           
>>>>>           
>>>>>           
>>>>> Schleißheimer Straße 26/MG,80333 München
>>>>>           
>>>>>           
>>>>>           
>>>>> 
>>>>>           
>>>>>           
>>>>>           
>>>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>>>>           
>>>>>           
>>>>>           
>>>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>>>>>           
>>>>>           
>>>>>           
>>>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>>>>           
>>>>>           
>>>>>           
>>>>> 
>>>>>          
>>>>>          
>>>>>          
>>>>> 
>>>>>         
>>>>>         
>>>>>         
>>>> Sent from mobile
>>>>         
>>>>         
>>>>         
>>>> 
>>>>        
>>>>        
>>>>        
>>> 
>>> 
>>> Mit freundlichen Grüßen,
>>> 
>>> 
>>>        
>>>        
>>>        
>>> 
>>>         
>>>         
>>>         -- 
>>>         
>>>         
>>>         
>>> 
>>>         
>>>         
>>>         
>>> [*] sys4 AG
>>>         
>>>         
>>>         
>>>  https://sys4.de, +49 (89) 30 90 46 64
>>>         
>>>         
>>>         
>>> Schleißheimer Straße 26/MG,80333 München
>>>         
>>>         
>>>         
>>>  Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>>         
>>>         
>>>         
>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>>>         
>>>         
>>>         
>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>>         
>>>         
>>>         
>>> 
>>>         
>>>         
>>>         
>>> 
>>>        
>>>        
>>>        
>> Sent from mobile

Sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220707/802cd261/attachment.html>


More information about the Users mailing list