Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built

2018-02-06 Thread Sujoy 

Hi Noel,

Still cannot establish tunnel. logs doesn't show anything. Can someone 
help to solve this.


Client configuration

config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    rightsubnet=192.168.10.0/32
    ike=aes128-md5-modp1536
    esp=aes128-sha1
    keyingtries=%forever
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    #dpdaction=restart
    authby=secret
    auto=start
    keyexchange=ikev2
    type=tunnel
    mobike=no
    #pfs=no
    reauth=no

Server setup

config setup

    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
conn tunnel #conn %default
conn tunnel #
    left=%any
    right=192.168.10.40
    rightsubnet=192.168.10.0/32
    ike=aes128-md5-modp1536
    esp=aes128-sha1
    keyingtries=%forever
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    #dpdtimeout=120
    #dpdaction=restart
    authby=secret
    auto=start
    keyexchange=ikev2
    type=tunnel
    mobike=no
    #pfs=no
    reauth=no


root@client:~# *ipsec up tunnel*
initiating IKE_SA tunnel[2] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (1064 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1536
initiating IKE_SA tunnel[2] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) ]

sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (1000 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (392 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MULT_AUTH) N(EAP_ONLY) ]

sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (332 bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (108 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]
authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[2] established between 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]

scheduling rekeying in 2525s
maximum IKE_SA lifetime 3065s
*received TS_UNACCEPTABLE notify, no CHILD_SA built**
**failed to establish CHILD_SA, keeping IKE_SA**
**establishing connection 'tunnel' failed*
root@client:~#


Ipsec statusall

Status of IKE charon daemon (*strongSwan 5.3.3, Linux 4.4.0-112-generic, 
x86_64*):

  uptime: 41 seconds, since Feb 07 12:08:32 2018
  malloc: sbrk 2703360, mmap 0, used 519216, free 2184144
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
scheduled: 2
  loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 
pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr 
kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:
  192.168.10.38
  192.168.3.107

Connections:
  tunnel:  %any...192.168.10.40  IKEv2
  tunnel:   local:  uses pre-shared key authentication
  tunnel:   remote: [192.168.10.40] uses pre-shared key authentication
  tunnel:   child:  dynamic === 192.168.10.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
  tunnel[1]: ESTABLISHED 41 seconds ago, 
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]
  tunnel[1]: IKEv2 SPIs: 53b251675b863a7d_i* 57d33cd8149f729f_r, 
rekeying in 41 minutes
  tunnel[1]: IKE proposal: 
AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536



On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote:

Hi,

Check the logs of the remote side.
It means the remote peer did not like the proposed traffic selector. It was 
probably outside of the network range that its own configuration allows, 
meaning narrowing failed.

Kind regards

Noel


On 16.01.2018 07:25, Sujoy wrote:

Hi Noel,

Same strongswan 5.3.3 configuration working in my VM(client) to desktop server. 
But not working from my OpenWRT to Global IP used nated Linux server. Can you 
help me to solve this.

what means "received TS_UNACCEPTABLE notify, no CHILD_SA built"

Server config file.




Thanks & Regards

Sujoy

On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote:

Hi,

Only on the responder.
If you use dpd and enforce UDP encapsulation, you do not need to open any ports 
on the initiator side.
Refer to the UsableExamples wiki page[1] for example configurations th

Re: [strongSwan] Strongswan 5.5

2018-02-06 Thread Andreas Steffen 
Hi Rajeev,

the private key itself does not pass the key integrity tests of
the gpm plugin. How did you create the private RSA key?

Regards

Andreas

On 07.02.2018 04:43, rajeev nohria wrote:
> 
> 
> I am getting following error. 
> 
> writing RSA key
> 11[LIB] key integrity tests failed
> 11[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders
> 
> What could be wrong? I verified the certificate and private key from
> following site and they matched.
> 
> https://www.sslshopper.com/certificate-key-matcher.html  
> 
> 
> Thanks in advance,
> 
> Rajeev
> 

-- 
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

[strongSwan] Strongswan 5.5

2018-02-06 Thread rajeev nohria 
I am getting following error.

writing RSA key
11[LIB] key integrity tests failed
11[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders

What could be wrong? I verified the certificate and private key from
following site and they matched.

https://www.sslshopper.com/certificate-key-matcher.html


Thanks in advance,

Rajeev

[strongSwan] Pre-shared secret and digital certificate simultaneously

2018-02-06 Thread Newton, Benjamin David 
Can anyone tell me if strongswan is able to support Authentication using both a 
pre-shared secret and a digital certificate simultaneously?


If so, can you give me any pointers on how to configure such a connecton?  Do 
you keep authby=secret line?  Do you put both entries in the ipsec.secrets file?


Thanks,

  Ben Newton