[Apologies for accidentally hitting send on previous email…] Hi all, I’m trying to resolve an issue with traffic selection and am running out of ideas on how to do so. Hopefully someone here can recognize what I am doing wrong. My two endpoints are `strongSwan 5.7.2, Linux 4.20.3-1.el7.elrepo.x86_64, x86_64` and `strongSwan 5.6.3` from OpenWRT `opkg` repositories.
In my config (below), I have worked on several iterations and have always seen the selectors presented to the opposite side specifying the /32 of the external interface to each other, never the networks that I am trying to route between. I am using `type=transport` as I need to pass OSPF traffic over the links. In an effort to cover all bases before posting here, I have mapped my configuration to that in https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario <https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario>, also with the same results. When I remove the `left/rightsubnet` configurations, the TS negotiates cleanly and passes traffic bound for to the opposite public endpoint, but then of course no xfrm policy exists between the `10.10.0.0/22` and `10.10.4.0/22` networks, which is the final goal. In all cases, SA is being negotiated cleanly, so I have clipped those sections for brevity. Apologies if I have lost information and thanks for your consideration! Brian Common: > config setup > charondebug="ike 2, knl 2, cfg 2, mgr 2" > > conn %default > keyingtries=3 > authby=secret > type=transport > > ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072 > > esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072 > Dynamic: > conn site-2-dynamic-ip > left=%defaultroute > leftsubnet=10.9.254.252/30,10.9.254.248/30 > leftfirewall=no > right=dy.na.mi.cip > rightsubnet=10.10.0.0/22 > rightid=%specific.example.com <http://specific.example.com/> > auto=add Static: > conn site-1-static-ip > left=st.at <http://st.at/>.ic.ip > leftsubnet=10.9.254.252/30,10.9.254.248/30 > leftid=%specific.example.com <http://specific.example.com/> > leftfirewall=no > right=%any > rightsubnet=10.10.4.0/22 > auto=add Dynamic side logs: > 05[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH > N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > 05[NET] sending packet: from dy.na.mi.cip[4500] to st.at.ic.ip[4500] (445 > bytes) > 05[MGR] checkin IKE_SA site-2-dynamic-ip[10] > 05[MGR] checkin of IKE_SA successful > received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes) > 13[MGR] checkout IKEv2 SA by message with SPIs 666aa985fa6a1f6b_i > 354556de7cfce172_r > 13[MGR] IKE_SA site-2-dynamic-ip[10] successfully checked out > 13[NET] received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 > bytes) > parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) > N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ] > 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ] > 13[IKE] authentication of 'specific.example.com > <http://specific.example.com/>' with pre-shared key successful > 13[IKE] IKE_SA site-2-dynamic-ip[10] established between > dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[specific.example.com > <http://specific.example.com/>] > : 13[IKE] IKE_SA site-2-dynamic-ip[10] established between > dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[specific.example.com > <http://specific.example.com/>] > 13[IKE] IKE_SA site-2-dynamic-ip[10] state change: CONNECTING => ESTABLISHED > 13[IKE] scheduling reauthentication in 9950s > 13[IKE] maximum IKE_SA lifetime 10490s > 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built > 13[IKE] failed to establish CHILD_SA, keeping IKE_SA > 13[KNL] deleting SAD entry with SPI cee22084 > 13[KNL] deleted SAD entry with SPI cee22084 > 13[IKE] received AUTH_LIFETIME of 9756s, scheduling reauthentication in 9216s > 13[IKE] peer supports MOBIKE > 13[IKE] got additional MOBIKE peer address: 10.10.0.41 > 13[IKE] got additional MOBIKE peer address: 172.17.0.1 > 13[IKE] got additional MOBIKE peer address: fc00::10ca:1 > 13[IKE] activating new tasks > 13[IKE] nothing to initiate > 13[MGR] checkin IKE_SA site-2-dynamic-ip[10] Static side logs: > 07[NET] received packet: from 71.211.224.100[4500] to 173.248.143.113[4500] > (445 bytes) > 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH > N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > 07[CFG] looking for a child config for st.at.ic.ip/32 === dy.na.mi.cip/32 > 07[CFG] proposing traffic selectors for us: > 07[CFG] st.at.ic.ip/32 > 07[CFG] st.at.ic.ip/32 > 07[CFG] proposing traffic selectors for other: > 07[CFG] dy.na.mi.cip/32 > 07[CFG] candidate "site-1-static-ip" with prio 5+5 > 07[CFG] found matching child config "site-1-static-ip" with prio 10 > 07[CFG] selecting proposal: > 07[CFG] proposal matches > 07[CFG] received proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/NO_EXT_SEQ, > ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, > ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ > 07[CFG] configured proposals: > ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, > ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, > ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HM > HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ > 07[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ > 07[KNL] got SPI cd351083 > 07[CFG] selecting traffic selectors for us: > 07[CFG] config: 10.9.254.252/30, received: st.at.ic.ip/32 => no match > 07[CFG] config: 10.9.254.248/30, received: st.at.ic.ip/32 => no match > 07[CFG] selecting traffic selectors for other: > 07[CFG] config: 10.10.4.0/22, received: dy.na.mi.cip/32 => no match > 07[IKE] no acceptable traffic selectors found > 07[IKE] failed to establish CHILD_SA, keeping IKE_SA > 07[KNL] deleting SAD entry with SPI cd351083 > 07[KNL] deleted SAD entry with SPI cd351083 > 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ] > 07[NET] sending packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 > bytes) > 07[MGR] checkin IKE_SA site-1-static-ip[1] > 07[MGR] checkin of IKE_SA successful > 07[MGR] checkout IKEv2 SA with SPIs 666aa985fa6a1f6b_i 354556de7cfce172_r > 07[MGR] IKE_SA site-1-static-ip[1] successfully checked out > 07[MGR] checkin IKE_SA site-1-static-ip[1] > 07[MGR] checkin of IKE_SA successful
