[Swan] not able to establish tunnel with multiple subnets and IKEv2

optimas primat techiek7 at gmail.com
Mon Jun 10 04:11:11 UTC 2019


Hi paul,

Any update ?

On 6/5/19, optimas primat <techiek7 at gmail.com> wrote:
> 3.28 . previously I had 3.26, but with that also I was getting same
> TS_UNACCEPTABLE error. but there were no "message id deadlock? " logs.
>
> On 6/5/19, Paul Wouters <paul at nohats.ca> wrote:
>> On Wed, 5 Jun 2019, optimas primat wrote:
>>
>>> pluto[27863]: "siteB_ipsec/1x1" #2: IKEv2 mode peer ID is ID_FQDN:
>>> '@abcd1'
>>> pluto[27863]: "siteB_ipsec/1x1" #2: Authenticated using authby=secret
>>> pluto[27863]: "siteB_ipsec/1x1" #2: negotiated connection
>>> [172.16.56.0-172.16.56.255:0-65535 0] ->
>>> [172.16.55.0-172.16.55.255:0-65535 0]
>>> pluto[27863]: "siteB_ipsec/1x1" #2: STATE_V2_IPSEC_I: IPsec SA
>>> established tunnel mode {ESP=>0xc26dbe6f <0x0f9f825a
>>> xfrm=3DES_CBC-HMAC_MD5_96 NATOA=none NATD=none DPD=passive}
>>
>> So the first tunnel comes up.
>>
>>> pluto[27863]: "siteB_ipsec/1x2": constructed local ESP/AH proposals
>>> for siteB_ipsec/1x2 (ESP/AH initiator emitting proposals):
>>> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
>>> pluto[27863]: "siteB_ipsec/2x1": constructed local ESP/AH proposals
>>> for siteB_ipsec/2x1 (ESP/AH initiator emitting proposals):
>>> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
>>> pluto[27863]: "siteB_ipsec/2x2": constructed local ESP/AH proposals
>>> for siteB_ipsec/2x2 (ESP/AH initiator emitting proposals):
>>> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
>>> pluto[27863]: "siteB_ipsec/1x2" #3: STATE_V2_CREATE_I: sent IPsec
>>> Child req wait response
>>
>> The second one is attempted..
>>
>>> pluto[27863]: "siteB_ipsec/2x1" #4: message id deadlock? wait sending,
>>> add to send next list using parent #1 unacknowledged 1 next message
>>> id=3 ike exchange window 1
>>
>> The others are queued up and waiting....
>>
>>> pluto[27863]: "siteB_ipsec/1x2" #3: no useful state microcode entry
>>> found for incoming packet
>>> pluto[27863]: "siteB_ipsec/1x2" #3: dropping unexpected
>>> CREATE_CHILD_SA message containing TS_UNACCEPTABLE pluto[27863]:
>>
>> Seems it mismatched the subnets?
>>
>>> 1:ESP:SPI=a0b9b411;ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED
>>> chosen from remote proposals
>>> 1:ESP:ENCR=3DES;INTEG=HMAC_MD5_96;DH=MODP1024;ESN=DISABLED[first-match]
>>> pluto[12791]: "siteA_ipsec/1x1"[1] 172.16.88.2 #3: responding to
>>> CREATE_CHILD_SA message (ID 2) from 172.16.88.2:500 with encrypted
>>> notification TS_UNACCEPTABLE
>>
>> It seemed to have picked the already established connection, then
>> decided to not switch?
>>
>> Which version of libreswan is this?
>>
>> Paul
>>
>


More information about the Swan mailing list