Thanks. Do you have a Quick hint for me to fix the config? 07.07.2022 15:19:54 noel.kuntze+strongswan-users-ml@thermi.consulting:
> Hi, > > Then of course because they're each behind NAT the one TS being dynamic, they > will propose different, non intersecting ones for that one. > > Kind regards > Noel > > Am 7. Juli 2022 13:15:40 UTC schrieb Michael Schwartzkopff <m...@sys4.de>: >> On 07.07.22 15:07, noel.kuntze+strongswan-users-ml@thermi.consulting wrote: >> >> >> >> >>> >>> >>> >>> Hi Manfred, >>> >>> >>> >>> >>> >>> >>> >>> If the peer is strongswqn: Initiate with --child x, not --ike x >>> >>> >>> >>> >>> >>> >>> >>> Otherwise: client problem, it sends no TSi or TSr. >>> >>> >>> >>> >>> >>> >>> >>> Kind regards >>> >>> >>> >>> Noel >>> >>> >>> >>> >>> >>> >>> >> >> >> Perhaps interesting to add: Both, carol and moon are behind NAT. moon is on >> AWS. >> >> >> >> >> >> >>> >>> >>> >>> Am 7. Juli 2022 12:49:06 UTC schrieb Michael Schwartzkopff >>> <m...@sys4.de>: >>> >>> >>> >>> >>> >>> >>> >>>> >>>> >>>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> I set up a RW connection according to >>>> >>>> >>>> >>>> https://docs.strongswan.org/docs/5.9/config/quickstart.html#_roadwarrior_case >>>> and >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> https://www.strongswan.org/testing/testresults/ikev2/rw-cert/ >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> swanctl -L shows: >>>> >>>> >>>> >>>> root@moon:~# swanctl -L >>>> >>>> >>>> >>>> rw: IKEv1/2, no reauthentication, rekeying every 14400s >>>> >>>> >>>> >>>> local: %any >>>> >>>> >>>> >>>> remote: %any >>>> >>>> >>>> >>>> local public key authentication: >>>> >>>> >>>> >>>> id: moon.example.org >>>> >>>> >>>> >>>> certs: C=TEST, O=TEST, CN=moon.example.org >>>> >>>> >>>> >>>> remote public key authentication: >>>> >>>> >>>> >>>> rw: TUNNEL, rekeying every 3600s >>>> >>>> >>>> >>>> local: 172.31.11.0/24 >>>> >>>> >>>> >>>> remote: dynamic >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> root@misch:~# swanctl -L >>>> >>>> >>>> >>>> home: IKEv1/2, no reauthentication, rekeying every 14400s >>>> >>>> >>>> >>>> local: %any >>>> >>>> >>>> >>>> remote: xx.xx.xx.xx >>>> >>>> >>>> >>>> local public key authentication: >>>> >>>> >>>> >>>> id: carol.example.org >>>> >>>> >>>> >>>> certs: C=TEST, O=TEST, CN=carol.example.org >>>> >>>> >>>> >>>> remote public key authentication: >>>> >>>> >>>> >>>> id: moon.example.org >>>> >>>> >>>> >>>> home: TUNNEL, rekeying every 3600s >>>> >>>> >>>> >>>> local: dynamic >>>> >>>> >>>> >>>> remote: 172.31.11.0/24 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> The tunnel comes up and an IKE SA is negotiated. But no ipsec SA is >>>> formed. Any idea? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> root@moon:~# swanctl --log >>>> >>>> >>>> >>>> 16[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] >>>> (80 bytes) >>>> >>>> >>>> >>>> 16[ENC] parsed INFORMATIONAL request 2 [ D ] >>>> >>>> >>>> >>>> 16[IKE] received DELETE for IKE_SA rw[15] >>>> >>>> >>>> >>>> 16[IKE] deleting IKE_SA rw[15] between >>>> 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org] >>>> >>>> >>>> >>>> 16[IKE] IKE_SA deleted >>>> >>>> >>>> >>>> 16[ENC] generating INFORMATIONAL response 2 [ ] >>>> >>>> >>>> >>>> 16[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] >>>> (80 bytes) >>>> >>>> >>>> >>>> 06[NET] received packet: from 109.43.49.131[4798] to 172.31.11.131[500] >>>> (904 bytes) >>>> >>>> >>>> >>>> 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >>>> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >>>> >>>> >>>> >>>> 06[IKE] 109.43.49.131 is initiating an IKE_SA >>>> >>>> >>>> >>>> 06[CFG] selected proposal: >>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519 >>>> >>>> >>>> >>>> 06[IKE] local host is behind NAT, sending keep alives >>>> >>>> >>>> >>>> 06[IKE] remote host is behind NAT >>>> >>>> >>>> >>>> 06[IKE] sending cert request for "C=TEST, O=TEST, CN=TEST CA" >>>> >>>> >>>> >>>> 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) >>>> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] >>>> >>>> >>>> >>>> 06[NET] sending packet: from 172.31.11.131[500] to 109.43.49.131[4798] >>>> (273 bytes) >>>> >>>> >>>> >>>> 07[NET] received packet: from 109.43.49.131[21329] to 172.31.11.131[4500] >>>> (624 bytes) >>>> >>>> >>>> >>>> 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr >>>> AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) >>>> N(MSG_ID_SYN_SUP) ] >>>> >>>> >>>> >>>> 07[IKE] received cert request for "C=TEST, O=TEST, CN=TEST CA" >>>> >>>> >>>> >>>> 07[IKE] received end entity cert "C=TEST, O=TEST, CN=carol.example.org" >>>> >>>> >>>> >>>> 07[CFG] looking for peer configs matching >>>> 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org] >>>> >>>> >>>> >>>> 07[CFG] selected peer config 'rw' >>>> >>>> >>>> >>>> 07[CFG] using certificate "C=TEST, O=TEST, CN=carol.example.org" >>>> >>>> >>>> >>>> 07[CFG] using trusted ca certificate "C=TEST, O=TEST, CN=TEST CA" >>>> >>>> >>>> >>>> 07[CFG] checking certificate status of "C=TEST, O=TEST, >>>> CN=carol.example.org" >>>> >>>> >>>> >>>> 07[CFG] certificate status is not available >>>> >>>> >>>> >>>> 07[CFG] reached self-signed root ca with a path length of 0 >>>> >>>> >>>> >>>> 07[IKE] authentication of 'ccarol.example.org' with ED25519 successful >>>> >>>> >>>> >>>> 07[IKE] peer supports MOBIKE >>>> >>>> >>>> >>>> 07[IKE] authentication of 'moon.example.org' (myself) with ED25519 >>>> successful >>>> >>>> >>>> >>>> 07[IKE] IKE_SA rw[16] established between >>>> 172.31.11.131[moon.example.org]...109.43.49.131[carol.example.org] >>>> >>>> >>>> >>>> 07[IKE] scheduling rekeying in 13852s >>>> >>>> >>>> >>>> 07[IKE] maximum IKE_SA lifetime 15292s >>>> >>>> >>>> >>>> 07[IKE] sending end entity cert "C=TEST, O=TEST, CN=moon.example.org" >>>> >>>> >>>> >>>> 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) >>>> N(NO_ADD_ADDR) ] >>>> >>>> >>>> >>>> 07[NET] sending packet: from 172.31.11.131[4500] to 109.43.49.131[21329] >>>> (544 bytes) >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> The connection list is: >>>> >>>> >>>> >>>> root@moon:~# swanctl -l >>>> >>>> >>>> >>>> rw: #16, ESTABLISHED, IKEv2, 15aaec072bc0be30_i 3fb1301da911d929_r* >>>> >>>> >>>> >>>> local 'moon.example.org' @ 172.31.11.131[4500] >>>> >>>> >>>> >>>> remote 'carol.example.org' @ 109.43.49.131[21329] >>>> >>>> >>>> >>>> AES_CBC-128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519 >>>> >>>> >>>> >>>> established 516s ago, rekeying in 13336s >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> But no child section / ipsec sa. Any ideas what is wrong here? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Mit freundlichen Grüßen, >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> [*] sys4 AG >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> https://sys4.de, +49 (89) 30 90 46 64 >>>> >>>> >>>> >>>> Schleißheimer Straße 26/MG,80333 München >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >>>> >>>> >>>> >>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief >>>> >>>> >>>> >>>> Aufsichtsratsvorsitzender: Florian Kirstein >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> Sent from mobile >>> >>> >>> >>> >>> >>> >>> >> >> >> Mit freundlichen Grüßen, >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> >> >> >> [*] sys4 AG >> >> >> >> https://sys4.de, +49 (89) 30 90 46 64 >> >> >> >> Schleißheimer Straße 26/MG,80333 München >> >> >> >> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 >> >> >> >> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief >> >> >> >> Aufsichtsratsvorsitzender: Florian Kirstein >> >> >> >> >> >> >> >> >> >> >> > Sent from mobile