[Swan] not able to establish tunnel with multiple subnets and IKEv2

optimas primat techiek7 at gmail.com
Wed Jun 5 13:18:34 UTC 2019 

Hi paul,

I removed leftsourceip directive but still getting the same error.
Please find required logs.

pluto[27863]: initiating all conns with alias='siteB_ipsec'
pluto[27863]: "siteB_ipsec/2x2" #1: initiating v2 parent SA
pluto[27863]: "siteB_ipsec/2x2": constructed local IKE proposals for
siteB_ipsec/2x2 (IKE SA initiator selecting KE):
1:IKE:ENCR=3DES;PRF=HMAC_MD5;INTEG=HMAC_MD5_96;DH=MODP1024
pluto[27863]: "siteB_ipsec/2x2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
pluto[27863]: | Switching Child connection for #2 to "siteB_ipsec/1x1"
from "siteB_ipsec/2x2"
pluto[27863]: "siteB_ipsec/1x1": constructed local ESP/AH proposals
for siteB_ipsec/1x1 (IKE SA initiator emitting ESP/AH proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=NONE;ESN=DISABLED
pluto[27863]: "siteB_ipsec/1x1" #2: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_MD5_96
prf=HMAC_MD5 group=MODP1024}
pluto[27863]: "siteB_ipsec/1x1" #2: IKEv2 mode peer ID is ID_FQDN: '@abcd1'
pluto[27863]: "siteB_ipsec/1x1" #2: Authenticated using authby=secret
pluto[27863]: "siteB_ipsec/1x1" #2: negotiated connection
[172.16.56.0-172.16.56.255:0-65535 0] ->
[172.16.55.0-172.16.55.255:0-65535 0]
pluto[27863]: "siteB_ipsec/1x1" #2: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP=>0xc26dbe6f <0x0f9f825a
xfrm=3DES_CBC-HMAC_MD5_96 NATOA=none NATD=none DPD=passive}
pluto[27863]: "siteB_ipsec/1x2": constructed local ESP/AH proposals
for siteB_ipsec/1x2 (ESP/AH initiator emitting proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
pluto[27863]: "siteB_ipsec/2x1": constructed local ESP/AH proposals
for siteB_ipsec/2x1 (ESP/AH initiator emitting proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
pluto[27863]: "siteB_ipsec/2x2": constructed local ESP/AH proposals
for siteB_ipsec/2x2 (ESP/AH initiator emitting proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
pluto[27863]: "siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: sent IPsec
Child req wait response
pluto[27863]: "siteB_ipsec/2x1" #4: message id deadlock? wait sending,
add to send next list using parent #1 unacknowledged 1 next message
id=3 ike exchange window 1
pluto[27863]: "siteB_ipsec/2x2" #5: message id deadlock? wait sending,
add to send next list using parent #1 unacknowledged 1 next message
id=3 ike exchange window 1
pluto[27863]: "siteB_ipsec/1x2" #3: no useful state microcode entry
found for incoming packet
pluto[27863]: "siteB_ipsec/1x2" #3: dropping unexpected
CREATE_CHILD_SA message containing TS_UNACCEPTABLE pluto[27863]:
"siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: retransmission; will wait 0.5
seconds for response
pluto[27863]: "siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: retransmission;
will wait 1 seconds for response
pluto[27863]: "siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: retransmission;
will wait 2 seconds for response
pluto[27863]: "siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: retransmission;
will wait 4 seconds for response

pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: processing
IKE_SA_INIT request: SA,KE,Ni,N,N,N (message arrived 0 seconds ago)
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2: constructed local IKE
proposals for siteA_ipsec/1x1 (IKE SA responder matching remote
proposals): 1:IKE:ENCR=3DES;PRF=HMAC_MD5;INTEG=HMAC_MD5_96;DH=MODP1024
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: proposal
1:IKE:ENCR=3DES;PRF=HMAC_MD5;INTEG=HMAC_MD5_96;DH=MODP1024 chosen from
remote proposals
1:IKE:ENCR=3DES;PRF=HMAC_MD5;INTEG=HMAC_MD5_96;DH=MODP1024[first-match]
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: STATE_PARENT_R1:
received v2I1, sent v2R1 {auth=IKEv2 cipher=3DES_CBC_192
integ=HMAC_MD5_96 prf=HMAC_MD5 group=MODP1024}
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: processing
encrypted IKE_AUTH request: SK (message arrived 0 seconds ago)
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: processing
decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr}
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: IKEv2 mode peer ID
is ID_FQDN: '@abcd2'
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: Authenticated using
authby=secret
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2: constructed local
ESP/AH proposals for siteA_ipsec/1x1 (IKE_AUTH responder matching
remote ESP/AH proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=NONE;ESN=DISABLED
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: proposal
1:ESP:SPI=0f9f825a;ENCR=3DES;INTEG=HMAC_MD5_96;ESN=DISABLED chosen
from remote proposals
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;ESN=DISABLED[first-match]
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #2: negotiated
connection [172.16.55.0-172.16.55.255:0-65535 0] ->
[172.16.56.0-172.16.56.255:0-65535 0]
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #2: STATE_V2_IPSEC_R:
IPsec SA established tunnel mode {ESP=>0x0f9f825a <0xc26dbe6f
xfrm=3DES_CBC-HMAC_MD5_96 NATOA=none NATD=none DPD=active}
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2: constructed local
ESP/AH proposals for siteA_ipsec/1x1 (CREATE_CHILD_SA responder
matching remote ESP/AH proposals):
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #1: proposal
1:ESP:SPI=a0b9b411;ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED[first-match]
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #3: responding to
CREATE_CHILD_SA message (ID 2) from 172.16.88.2:500 with encrypted
notification TS_UNACCEPTABLE
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #2: no useful state
microcode entry found for incoming packet
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #3: deleting incomplete
state after 200.000 seconds
pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #3: deleting state
(STATE_V2_CREATE_R) aged 200.006s and NOT sending notification

siteA is responder and siteB is initiator.

On 6/5/19, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 5 Jun 2019, optimas primat wrote:
>
>> I am trying to create site-to-site IPsec VPN with two subnets on each
>> site using libreswan on linux gateways.
>
>> conn siteA_ipsec
>>        left=172.16.99.11
>>        leftsourceip=172.16.99.11
>>        right=%any
>>        leftsubnets={172.16.55.0/24,172.16.56.0/24}
>>        rightsubnets={172.16.66.0/24,172.16.67.0/24}
>>        auto=add
>
>> conn siteB_ipsec
>>        left=172.16.88.88
>>        leftsourceip=172.16.88.88
>>        right=172.16.99.11
>>        leftsubnets={172.16.66.0/24,172.16.67.0/24}
>>        rightsubnets={172.16.55.0/24,172.16.56.0/24}
>>        auto=start
>
> You should not use leftsourceip= when using multiple leftsubnets
>
>> I get TS_UNACCEPTABLE error in pluto logs and tunnel gets established
>> for only one subnet pair. When I change right=%any to
>> right=172.16.88.88 in Site A's config, tunnel gets established
>> successfully for all subnet pairs. As per requirement, I don't want to
>> specify Site B's IP address at Site A, as it will be dynamic. Hence I
>> used right=%any initially. But same config works with IKEv1.
>
> Can you try without the sourceip= lines? If you still see an issue can
> you then show some logs about what/why it is failing?
>
> Paul
>

More information about the Swan mailing list