Hi All, I cannot make my site-to-site VPN work again. I believe everything is configured fine. Communication is between Debian 8 and Sophos UTM 9. Seems CHILD_SA cannot be resolved although correctly defined. Anywhere in between the (see ### marks) I find the message
changing proposed traffic selectors for us: 0.0.0.0/0 What is wrong here. This connection already was working but I can't make it working again. Any help or hint appreciated. Andreas # ipsec.conf - strongSwan IPsec configuration file config setup charondebug="ike 2, cfg 2, chd 2" conn %default keyingtries=1 keyexchange=ikev1 # compress=yes compress=no esp="aes128-md5" ike="aes256-sha1-modp1024" ikelifetime=86400 keylife=3600 authby=psk rekeymargin=540 conn base left=82.165.146.193 leftsubnet=10.242.5.0/24 leftfirewall=yes right=176.94.48.18 rightid=176.94.48.18 rightsubnet=10.242.4.0/24 type=tunnel auto=add include /var/lib/strongswan/ipsec.conf.inc #/var/log/daemon.log Jan 16 14:27:24 nx03 charon: 09[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (92 bytes) Jan 16 14:27:24 nx03 charon: 09[ENC] parsed INFORMATIONAL_V1 request 1322595484 [ HASH N(DPD) ] Jan 16 14:27:24 nx03 charon: 09[IKE] queueing ISAKMP_DPD task Jan 16 14:27:24 nx03 charon: 09[IKE] activating new tasks Jan 16 14:27:24 nx03 charon: 09[IKE] activating ISAKMP_DPD task Jan 16 14:27:24 nx03 charon: 09[ENC] generating INFORMATIONAL_V1 request 1687982473 [ HASH N(DPD_ACK) ] Jan 16 14:27:24 nx03 charon: 09[NET] sending packet: from 82.165.146.193[500] to 176.94.48.18[500] (92 bytes) Jan 16 14:27:24 nx03 charon: 09[IKE] activating new tasks Jan 16 14:27:24 nx03 charon: 09[IKE] nothing to initiate Jan 16 14:27:24 nx03 charon: 06[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (156 bytes) Jan 16 14:27:24 nx03 charon: 06[ENC] parsed QUICK_MODE request 3759634152 [ HASH SA No ID ID ] Jan 16 14:27:24 nx03 charon: 06[CFG] looking for a child config for 10.242.5.0/24 === 10.242.4.0/24 Jan 16 14:27:24 nx03 charon: 06[CFG] proposing traffic selectors for us: Jan 16 14:27:24 nx03 charon: 06[CFG] 10.242.5.0/24 Jan 16 14:27:24 nx03 charon: 06[CFG] proposing traffic selectors for other: Jan 16 14:27:24 nx03 charon: 06[CFG] 10.242.4.0/24 Jan 16 14:27:24 nx03 charon: 06[CFG] candidate "base" with prio 5+5 Jan 16 14:27:24 nx03 charon: 06[CFG] found matching child config "base" with prio 10 Jan 16 14:27:24 nx03 charon: 06[CFG] selecting traffic selectors for other: Jan 16 14:27:24 nx03 charon: 06[CFG] config: 10.242.4.0/24, received: 10.242.4.0/24 => match: 10.242.4.0/24 Jan 16 14:27:24 nx03 charon: 06[CFG] selecting traffic selectors for us: Jan 16 14:27:24 nx03 charon: 06[CFG] config: 10.242.5.0/24, received: 10.242.5.0/24 => match: 10.242.5.0/24 Jan 16 14:27:24 nx03 charon: 06[CFG] selecting proposal: Jan 16 14:27:24 nx03 charon: 06[CFG] proposal matches Jan 16 14:27:24 nx03 charon: 06[CFG] received proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ Jan 16 14:27:24 nx03 charon: 06[CFG] configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ Jan 16 14:27:24 nx03 charon: 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ ### who does this and why, or how to prevent? Jan 16 14:27:24 nx03 charon: 06[CFG] changing proposed traffic selectors for us: Jan 16 14:27:24 nx03 charon: 06[CFG] 0.0.0.0/0 ### Jan 16 14:27:24 nx03 charon: 06[ENC] generating QUICK_MODE response 3759634152 [ HASH SA No ID ID ] Jan 16 14:27:24 nx03 charon: 06[NET] sending packet: from 82.165.146.193[500] to 176.94.48.18[500] (188 bytes) Jan 16 14:27:24 nx03 charon: 05[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (76 bytes) Jan 16 14:27:24 nx03 charon: 05[ENC] parsed INFORMATIONAL_V1 request 1334323553 [ HASH N(INVAL_ID) ] Jan 16 14:27:24 nx03 charon: 05[IKE] received INVALID_ID_INFORMATION error notify Jan 16 14:27:24 nx03 charon: 05[IKE] received INVALID_ID_INFORMATION error notify Jan 16 14:27:35 nx03 charon: 11[NET] received packet: from 176.94.48.18[500] to 82.165.146.193[500] (156 bytes) Jan 16 14:27:35 nx03 charon: 11[ENC] invalid HASH_V1 payload length, decryption failed? Jan 16 14:27:35 nx03 charon: 11[ENC] could not decrypt payloads Jan 16 14:27:35 nx03 charon: 11[IKE] message parsing failed