Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread S M Tanjeen 

Hi Mr Brunner,

Thanks a lot for pointing out. This plugin was enabled unintentionally 
since the firmware build.


My Hub and spoke is working now.

Regards,

Tanjeen

On 8/17/21 11:54 PM, Tobias Brunner wrote:

Hi,

error installing route with policy 192.168.10.0/24 === 
192.168.20.0/24 out


Why are you using kernel-libipsec [1] on your hub?

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec

Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread Tobias Brunner 

Hi,


error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out


Why are you using kernel-libipsec [1] on your hub?

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec

[strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built error in a Hub and Spoke Setup

2021-08-17 Thread S M Tanjeen 

Hi,

I'm using strongSwan 5.6.3 on Openwrt for x86 architecture. Here i'm 
trying to achieve the hub-n-spoke setup [a network diagram has been 
attached] for connecting/routing multiple subnets behind more than two 
gateways.


I've tried numerous changes in ipsec.conf as suggested, but I'm stuck 
with 'received TS_UNACCEPTABLE notify, no CHILD_SA built' on the spoke 
side, Although both of the security associations are up.


Need a remedy Badly.


My configurations are as followings-

Hub
--
config setup
    strictcrlpolicy=no

conn %default
    ikelifetime=30m
    keylife=10m
    rekeymargin=3m
    keyingtries=1
    mobike=yes

conn spokeconn2
    left=3.3.3.3
    leftsubnet=0.0.0.0/0
    right=20.20.20.20
    rightsubnet=192.168.20.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

conn spokeconn1
    left=3.3.3.3
    leftsubnet=0.0.0.0/0
    right=10.10.10.10
    rightsubnet=192.168.10.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

Spoke1
--
config setup
    strictcrlpolicy=no

conn %default
    ikelifetime=30m
    keylife=10m
    rekeymargin=3m
    keyingtries=1
    mobike=yes

conn allmainconn
    left=10.10.10.10
    leftsubnet=192.168.10.0/24
    right=3.3.3.3
    rightsubnet=192.168.100.0/24,192.168.20.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

Spoke2
---
config setup
    strictcrlpolicy=no
    charondebug="all"

conn %default
    ikelifetime=30m
    keylife=10m
    rekeymargin=3m
    keyingtries=1
    mobike=yes

conn allmainconn
    left=20.20.20.20
    leftsubnet=192.168.20.0/24
    right=3.3.3.3
    rightsubnet=192.168.100.0/24,192.168.10.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

For Authentication I'm using PSK key.



Error Logs Recieved:

Hub-

initiating IKE_SA spokeconn2[4] to 20.20.20.20
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 3.3.3.3[500] to 20.20.20.20[500] (464 bytes)
received packet: from 20.20.20.20[500] to 3.3.3.3[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
authentication of '3.3.3.3' (myself) with pre-shared key
establishing CHILD_SA spokeconn2{6}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

sending packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (284 bytes)
received packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (268 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]

authentication of '20.20.20.20' with pre-shared key successful
IKE_SA spokeconn2[4] established between 
3.3.3.3[3.3.3.3]...20.20.20.20[20.20.20.20]

scheduling reauthentication in 1505s
maximum IKE_SA lifetime 1685s
error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 1514s, scheduling reauthentication in 1334s
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI 85f68599
generating INFORMATIONAL request 2 [ D ]
sending packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (76 bytes)
received packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (76 bytes)
parsed INFORMATIONAL response 2 [ D ]
establishing connection 'spokeconn2' failed



Spoke1-

initiating IKE_SA allmainconn[1] to 3.3.3.3
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 10.10.10.10[500] to 3.3.3.3[500] (464 bytes)
received packet: from 3.3.3.3[500] to 10.10.10.10[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]

remote host is behind NAT
authentication of '10.10.10.10' (myself) with pre-shared key
establishing CHILD_SA allmainconn{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) 
N(MSG_ID_SYN_SUP) ]

sending packet: from 10.10.10.10[4500] to 3.3.3.3[4500] (300 bytes)
received packet: from 3.3.3.3[4500] to 10.10.10.10[4500] (172 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]

authentication of '3.3.3.3' with pre-shared key successful
IKE_SA allmainconn[1] established between 
10.10.10.10[10.10.10.10]...3.3.3.3[3.3.3.3]

scheduling reauthentication in 1524s
maximum IKE_SA lifetime