Re: [Swan] not able to establish tunnel with multiple subnets and IKEv2

Wed, 05 Jun 2019 06:30:16 -0700 

On Wed, 5 Jun 2019, optimas primat wrote:


pluto[27863]: "siteB_ipsec/1x1" #2: IKEv2 mode peer ID is ID_FQDN: '@abcd1'
pluto[27863]: "siteB_ipsec/1x1" #2: Authenticated using authby=secret
pluto[27863]: "siteB_ipsec/1x1" #2: negotiated connection
[172.16.56.0-172.16.56.255:0-65535 0] ->
[172.16.55.0-172.16.55.255:0-65535 0]
pluto[27863]: "siteB_ipsec/1x1" #2: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0xc26dbe6f <0x0f9f825a
xfrm=3DES_CBC-HMAC_MD5_96 NATOA=none NATD=none DPD=passive}


So the first tunnel comes up.


pluto[27863]: "siteB_ipsec/1x2": constructed local ESP/AH proposals
for siteB_ipsec/1x2 (ESP/AH initiator emitting proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
pluto[27863]: "siteB_ipsec/2x1": constructed local ESP/AH proposals
for siteB_ipsec/2x1 (ESP/AH initiator emitting proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
pluto[27863]: "siteB_ipsec/2x2": constructed local ESP/AH proposals
for siteB_ipsec/2x2 (ESP/AH initiator emitting proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
pluto[27863]: "siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: sent IPsec
Child req wait response


The second one is attempted..


pluto[27863]: "siteB_ipsec/2x1" #4: message id deadlock? wait sending,
add to send next list using parent #1 unacknowledged 1 next message
id=3 ike exchange window 1


The others are queued up and waiting....


pluto[27863]: "siteB_ipsec/1x2" #3: no useful state microcode entry
found for incoming packet
pluto[27863]: "siteB_ipsec/1x2" #3: dropping unexpected
CREATE_CHILD_SA message containing TS_UNACCEPTABLE pluto[27863]:


Seems it mismatched the subnets?


1:ESP:SPI=a0b9b411;ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED[first-match]
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #3: responding to
CREATE_CHILD_SA message (ID 2) from 172.16.88.2:500 with encrypted
notification TS_UNACCEPTABLE


It seemed to have picked the already established connection, then
decided to not switch?

Which version of libreswan is this?

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to