Hi,

I'm using strongSwan 5.6.3 on Openwrt for x86 architecture. Here i'm trying to achieve the hub-n-spoke setup [a network diagram has been attached] for connecting/routing multiple subnets behind more than two gateways.

I've tried numerous changes in ipsec.conf as suggested, but I'm stuck with 'received TS_UNACCEPTABLE notify, no CHILD_SA built' on the spoke side, Although both of the security associations are up.

Need a remedy Badly.


My configurations are as followings-

Hub
------
config setup
    strictcrlpolicy=no

conn %default
    ikelifetime=30m
    keylife=10m
    rekeymargin=3m
    keyingtries=1
    mobike=yes

conn spokeconn2
    left=3.3.3.3
    leftsubnet=0.0.0.0/0
    right=20.20.20.20
    rightsubnet=192.168.20.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

conn spokeconn1
    left=3.3.3.3
    leftsubnet=0.0.0.0/0
    right=10.10.10.10
    rightsubnet=192.168.10.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

Spoke1
--------------
config setup
    strictcrlpolicy=no

conn %default
    ikelifetime=30m
    keylife=10m
    rekeymargin=3m
    keyingtries=1
    mobike=yes

conn allmainconn
    left=10.10.10.10
    leftsubnet=192.168.10.0/24
    right=3.3.3.3
    rightsubnet=192.168.100.0/24,192.168.20.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

Spoke2
---------------
config setup
    strictcrlpolicy=no
    charondebug="all"

conn %default
    ikelifetime=30m
    keylife=10m
    rekeymargin=3m
    keyingtries=1
    mobike=yes

conn allmainconn
    left=20.20.20.20
    leftsubnet=192.168.20.0/24
    right=3.3.3.3
    rightsubnet=192.168.100.0/24,192.168.10.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1-modp2048!
    authby=secret
    type=tunnel
    keyexchange=ikev2
    auto=route

For Authentication I'm using PSK key.



Error Logs Recieved:
------------------------
Hub-

initiating IKE_SA spokeconn2[4] to 20.20.20.20
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 3.3.3.3[500] to 20.20.20.20[500] (464 bytes)
received packet: from 20.20.20.20[500] to 3.3.3.3[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
authentication of '3.3.3.3' (myself) with pre-shared key
establishing CHILD_SA spokeconn2{6}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (284 bytes)
received packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (268 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of '20.20.20.20' with pre-shared key successful
IKE_SA spokeconn2[4] established between 3.3.3.3[3.3.3.3]...20.20.20.20[20.20.20.20]
scheduling reauthentication in 1505s
maximum IKE_SA lifetime 1685s
error installing route with policy 192.168.10.0/24 === 192.168.20.0/24 out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 1514s, scheduling reauthentication in 1334s
peer supports MOBIKE
sending DELETE for ESP CHILD_SA with SPI 85f68599
generating INFORMATIONAL request 2 [ D ]
sending packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (76 bytes)
received packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (76 bytes)
parsed INFORMATIONAL response 2 [ D ]
establishing connection 'spokeconn2' failed



Spoke1-

initiating IKE_SA allmainconn[1] to 3.3.3.3
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.10.10.10[500] to 3.3.3.3[500] (464 bytes)
received packet: from 3.3.3.3[500] to 10.10.10.10[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
authentication of '10.10.10.10' (myself) with pre-shared key
establishing CHILD_SA allmainconn{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.10.10.10[4500] to 3.3.3.3[4500] (300 bytes)
received packet: from 3.3.3.3[4500] to 10.10.10.10[4500] (172 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
authentication of '3.3.3.3' with pre-shared key successful
IKE_SA allmainconn[1] established between 10.10.10.10[10.10.10.10]...3.3.3.3[3.3.3.3]
scheduling reauthentication in 1524s
maximum IKE_SA lifetime 1704s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 1508s, scheduling reauthentication in 1328s
peer supports MOBIKE
establishing connection 'allmainconn' failed



Spoke2-

initiating IKE_SA allmainconn[1] to 3.3.3.3
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 20.20.20.20[500] to 3.3.3.3[500] (464 bytes)
received packet: from 3.3.3.3[500] to 20.20.20.20[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
authentication of '20.20.20.20' (myself) with pre-shared key
establishing CHILD_SA allmainconn{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 20.20.20.20[4500] to 3.3.3.3[4500] (300 bytes)
received packet: from 3.3.3.3[4500] to 20.20.20.20[4500] (172 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
authentication of '3.3.3.3' with pre-shared key successful
IKE_SA allmainconn[1] established between 20.20.20.20[20.20.20.20]...3.3.3.3[3.3.3.3]
scheduling reauthentication in 1478s
maximum IKE_SA lifetime 1658s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 1468s, scheduling reauthentication in 1288s
peer supports MOBIKE
establishing connection 'allmainconn' failed

Reply via email to