[strongSwan] IKE SA, but no child SA
noel.kuntze+strongswan-users-ml at thermi.consulting
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jul 7 15:33:04 CEST 2022
Hi Manfred,
Quick fix would be to put the private IP of carol as their local_ts (remote_ts on moon then of course).
Kind regards
Noel
Am 7. Juli 2022 13:31:51 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>Thanks. Do you have a Quick hint for me to fix the config?
>
>07.07.2022 15:19:54 noel.kuntze+strongswan-users-ml at thermi.consulting:
>
>> Hi,
>>
>> Then of course because they're each behind NAT the one TS being dynamic, they will propose different, non intersecting ones for that one.
>>
>> Kind regards
>> Noel
>>
>> Am 7. Juli 2022 13:15:40 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>>> On 07.07.22 15:07, noel.kuntze+strongswan-users-ml at thermi.consulting wrote:
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>> Hi Manfred,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> If the peer is strongswqn: Initiate with --child x, not --ike x
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Otherwise: client problem, it sends no TSi or TSr.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Kind regards
>>>>
>>>>
>>>>
>>>> Noel
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> Perhaps interesting to add: Both, carol and moon are behind NAT. moon is on AWS.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>> Am 7. Juli 2022 12:49:06 UTC schrieb Michael Schwartzkopff <ms at sys4.de>:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I set up a RW connection according to
>>>>>
>>>>>
>>>>>
>>>>> https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case and
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> https://www.strongswan.org/testing/testresults/ikev2/rw-cert/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> swanctl -L shows:
>>>>>
>>>>>
>>>>>
>>>>> root at moon:~# swanctl -L
>>>>>
>>>>>
>>>>>
>>>>> rw: IKEv1/2, no reauthentication, rekeying every 14400s
>>>>>
>>>>>
>>>>>
>>>>> local: %any
>>>>>
>>>>>
>>>>>
>>>>> remote: %any
>>>>>
>>>>>
>>>>>
>>>>> local public key authentication:
>>>>>
>>>>>
>>>>>
>>>>> id: moon.example.org
>>>>>
>>>>>
>>>>>
>>>>> certs: C=TEST, O=TEST, CN=moon.example.org
>>>>>
>>>>>
>>>>>
>>>>> remote public key authentication:
>>>>>
>>>>>
>>>>>
>>>>> rw: TUNNEL, rekeying every 3600s
>>>>>
>>>>>
>>>>>
>>>>> local: 172.31.11.0/24
>>>>>
>>>>>
>>>>>
>>>>> remote: dynamic
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> root at misch:~# swanctl -L
>>>>>
>>>>>
>>>>>
>>>>> home: IKEv1/2, no reauthentication, rekeying every 14400s
>>>>>
>>>>>
>>>>>
>>>>> local: %any
>>>>>
>>>>>
>>>>>
>>>>> remote: xx.xx.xx.xx
>>>>>
>>>>>
>>>>>
>>>>> local public key authentication:
>>>>>
>>>>>
>>>>>
>>>>> id: carol.example.org
>>>>>
>>>>>
>>>>>
>>>>> certs: C=TEST, O=TEST, CN=carol.example.org
>>>>>
>>>>>
>>>>>
>>>>> remote public key authentication:
>>>>>
>>>>>
>>>>>
>>>>> id: moon.example.org
>>>>>
>>>>>
>>>>>
>>>>> home: TUNNEL, rekeying every 3600s
>>>>>
>>>>>
>>>>>
>>>>> local: dynamic
>>>>>
>>>>>
>>>>>
>>>>> remote: 172.31.11.0/24
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> The tunnel comes up and an IKE SA is negotiated. But no ipsec SA is formed. Any idea?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> root at moon:~# swanctl --log
>>>>>
>>>>>
>>>>>
>>>>> 16[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (80 bytes)
>>>>>
>>>>>
>>>>>
>>>>> 16[ENC] parsed INFORMATIONAL request 2 [ D ]
>>>>>
>>>>>
>>>>>
>>>>> 16[IKE] received DELETE for IKE_SA rw[15]
>>>>>
>>>>>
>>>>>
>>>>> 16[IKE] deleting IKE_SA rw[15] between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>>>>
>>>>>
>>>>>
>>>>> 16[IKE] IKE_SA deleted
>>>>>
>>>>>
>>>>>
>>>>> 16[ENC] generating INFORMATIONAL response 2 [ ]
>>>>>
>>>>>
>>>>>
>>>>> 16[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (80 bytes)
>>>>>
>>>>>
>>>>>
>>>>> 06[NET] received packet: from 109.43.49.131[4798] to 172.31.11.131[500] (904 bytes)
>>>>>
>>>>>
>>>>>
>>>>> 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>>>>
>>>>>
>>>>>
>>>>> 06[IKE] 109.43.49.131 is initiating an IKE_SA
>>>>>
>>>>>
>>>>>
>>>>> 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
>>>>>
>>>>>
>>>>>
>>>>> 06[IKE] local host is behind NAT, sending keep alives
>>>>>
>>>>>
>>>>>
>>>>> 06[IKE] remote host is behind NAT
>>>>>
>>>>>
>>>>>
>>>>> 06[IKE] sending cert request for "C=TEST, O=TEST, CN=TEST CA"
>>>>>
>>>>>
>>>>>
>>>>> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
>>>>>
>>>>>
>>>>>
>>>>> 06[NET] sending packet: from 172.31.11.131[500] to 109.43.49.131[4798] (273 bytes)
>>>>>
>>>>>
>>>>>
>>>>> 07[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] (624 bytes)
>>>>>
>>>>>
>>>>>
>>>>> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] received cert request for "C=TEST, O=TEST, CN=TEST CA"
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] received end entity cert "C=TEST, O=TEST, CN=carol.example.org"
>>>>>
>>>>>
>>>>>
>>>>> 07[CFG] looking for peer configs matching 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>>>>
>>>>>
>>>>>
>>>>> 07[CFG] selected peer config 'rw'
>>>>>
>>>>>
>>>>>
>>>>> 07[CFG] using certificate "C=TEST, O=TEST, CN=carol.example.org"
>>>>>
>>>>>
>>>>>
>>>>> 07[CFG] using trusted ca certificate "C=TEST, O=TEST, CN=TEST CA"
>>>>>
>>>>>
>>>>>
>>>>> 07[CFG] checking certificate status of "C=TEST, O=TEST, CN=carol.example.org"
>>>>>
>>>>>
>>>>>
>>>>> 07[CFG] certificate status is not available
>>>>>
>>>>>
>>>>>
>>>>> 07[CFG] reached self-signed root ca with a path length of 0
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] authentication of 'ccarol.example.org' with ED25519 successful
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] peer supports MOBIKE
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] authentication of 'moon.example.org' (myself) with ED25519 successful
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] IKE_SA rw[16] established between 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org]
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] scheduling rekeying in 13852s
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] maximum IKE_SA lifetime 15292s
>>>>>
>>>>>
>>>>>
>>>>> 07[IKE] sending end entity cert "C=TEST, O=TEST, CN=moon.example.org"
>>>>>
>>>>>
>>>>>
>>>>> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
>>>>>
>>>>>
>>>>>
>>>>> 07[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] (544 bytes)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> The connection list is:
>>>>>
>>>>>
>>>>>
>>>>> root at moon:~# swanctl -l
>>>>>
>>>>>
>>>>>
>>>>> rw: #16, ESTABLISHED, IKEv2, 15aaec072bc0be30_i 3fb1301da911d929_r*
>>>>>
>>>>>
>>>>>
>>>>> local 'moon.example.org' @ 172.31.11.131[4500]
>>>>>
>>>>>
>>>>>
>>>>> remote 'carol.example.org' @ 109.43.49.131[21329]
>>>>>
>>>>>
>>>>>
>>>>> AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
>>>>>
>>>>>
>>>>>
>>>>> established 516s ago, rekeying in 13336s
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> But no child section / ipsec sa. Any ideas what is wrong here?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Mit freundlichen Grüßen,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> [*] sys4 AG
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> https://sys4.de, +49 (89) 30 90 46 64
>>>>>
>>>>>
>>>>>
>>>>> Schleißheimer Straße 26/MG,80333 München
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>>>>
>>>>>
>>>>>
>>>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>>>>>
>>>>>
>>>>>
>>>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Sent from mobile
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> Mit freundlichen Grüßen,
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> [*] sys4 AG
>>>
>>>
>>>
>>> https://sys4.de, +49 (89) 30 90 46 64
>>>
>>>
>>>
>>> Schleißheimer Straße 26/MG,80333 München
>>>
>>>
>>>
>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>>
>>>
>>>
>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>>>
>>>
>>>
>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>> Sent from mobile
Sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220707/802cd261/attachment.html>
More information about the Users
mailing list