On Fri, May 07, 2021 at 12:17:35PM +0300, Денис Давыдов wrote: > Hello all, > > I can't understand why I got SA_INIT timeout: > May 5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: sa_free: > SA_INIT timeout > > 1.1.1.1 (crypto-gw2) - my host > 7.7.7.7 - our isp provider (some of cisco devices) > > /etc/iked.conf (on 1.1.1.1): > > ikev2 crypto-primary active esp \ > from 10.21.139.8/30 to 2.2.2.2 \ > from 10.21.139.8/30 to 3.3.3.3 \ > peer 7.7.7.7 \ > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 > \ > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > ikelifetime 86400 lifetime 28800 \ > psk "secret" > > The remote side claims to have the same settings. > > crypto-gw2# ikectl sh sa | grep 7.7.7.7 > iked_sas: 0xb0e1878b7d0 rspi 0x2d606f017d098928 ispi 0xd0497626849535cd > 1.1.1.1:500->7.7.7.7:500<IPV4/217.118.86.15>[] AUTH_SUCCESS i nexti 0x0 pol > 0xb0e9b38d000 > > Why CHILD_SA is not being created? I tried to figure it out from the logs > but couldn't.
It looks like the peer sends its IKE_AUTH reply without SA payload but with a TS_UNACCEPTABLE notification. The most likely cause is that your "from ... to ..." configuration is incompatible with the configuration of your peer. Thanks for the report, I will see how I can make this error more obvious in the logs.
