<div dir="ltr">That does indeed work, thank you!<div><br></div><div>I have been following the "VPN server for remote clients using IKEv2" config from [0]. There they only configure the "rightsubnet=" on the client, but not on the server like I was doing. </div><div><br></div><div>Should this be considered a bug on that document?</div><div><br></div><div>[0] <a href="https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2">https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2</a></div><div><br></div><div>Regards,</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b>Brady Johnson</b><div><a href="mailto:brady.johnson@redhat.com" target="_blank">brady.johnson@redhat.com</a><br></div><div><div><br></div><div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 29, 2022 at 2:28 PM Tuomo Soini <<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 29 Mar 2022 13:43:58 +0200<br>
Brady Johnson <<a href="mailto:bradyjoh@redhat.com" target="_blank">bradyjoh@redhat.com</a>> wrote:<br>
<br>
> The pluto.log in the server doesnt provide any more information. Why<br>
> do I get the TS_UNACCEPTABLE error?<br>
<br>
Right. That means your configurations don't match which is very obvious<br>
when looking at your configs below:<br>
<br>
> <br>
> Server and Client configurations:<br>
> <br>
> conn vpn_server_tunnel<br>
> left=10.10.8.8<br>
> leftid=@<a href="http://vpnserver08.lab.com" rel="noreferrer" target="_blank">vpnserver08.lab.com</a><br>
> leftsubnet=<a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a><br>
> leftrsasigkey=%cert<br>
> leftcert=<a href="http://vpnserver08.lab.com" rel="noreferrer" target="_blank">vpnserver08.lab.com</a><br>
> leftsendcert=always<br>
> <br>
> right=%any<br>
> rightrsasigkey=%cert<br>
> rightid=%fromcert<br>
> rightca=%same<br>
> <br>
> dpddelay=30<br>
> dpdtimeout=120<br>
> dpdaction=clear<br>
> auto=add<br>
> ikev2=insist<br>
> rekey=no<br>
> fragmentation=yes<br>
> ike=aes256-sha2<br>
> esp=aes256-sha2_512-dh14<br>
> authby=rsa-sha2_512<br>
> ikelifetime=86400s<br>
> salifetime=3600s<br>
<br>
Note: rightsubnet= is missing from this config. add<br>
rightsubnet=<a href="http://10.10.50.0/24" rel="noreferrer" target="_blank">10.10.50.0/24</a> and it should work. Likely you also need<br>
rightsourceip=<select-one-ip-from <a href="http://10.10.50.0/24" rel="noreferrer" target="_blank">10.10.50.0/24</a> subnet> if you want to<br>
communicate over the tunnel from IPsec endpoint.<br>
<br>
-- <br>
Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank">tis@foobar.fi</a>><br>
Foobar Linux services<br>
+358 40 5240030<br>
Foobar Oy <<a href="https://foobar.fi/" rel="noreferrer" target="_blank">https://foobar.fi/</a>><br>
_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
<br>
</blockquote></div>