Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
31773
Views
0
Helpful
12
Replies

received TS_UNACCEPTABLE notify, no CHILD_SA built

williamdaniel22128924
Level 1
Level 1

‎09-06-2021 12:45 AM

Hi,

 

I have a connection ikev2 with strongswan device and when i create the connection, it shows me this:

 

received TS_UNACCEPTABLE notify, no CHILD_SA built

 

We have the same parameters.

 

Can you help me ?

Labels:
0 Helpful
12 Replies 12

Sheraz.Salim
VIP
VIP

‎09-06-2021 01:31 AM

This seem to be a config issue. double check at both end that your phase 1 and phase2 plus interested traffic is matching.

please do not forget to rate.
0 Helpful

williamdaniel22128924
Level 1
Level 1
In response to Sheraz.Salim

‎09-06-2021 01:35 AM

Hi,

 

In phase 1 the connection working, but the problem is in the phase 2. We have the same parameters but the remote device is behind of nat. How would be my conf if my device has Public IP  ?.

 

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to williamdaniel22128924

‎09-06-2021 02:20 AM - edited ‎09-06-2021 02:20 AM

I had a dealing in past with strongwan the issue you getting is due to miss match your ACL (in cisco terms access-list/crypto map is not matching at both end). could you please share the out put of your configurations. what devices you using from cisco its firewall or a router?

please do not forget to rate.
0 Helpful

Sheraz.Salim
VIP
VIP
In response to williamdaniel22128924

‎09-06-2021 02:45 AM

In phase 1 the connection working, but the problem is in the phase 2. We have the same parameters but the remote device is behind of nat. How would be my conf if my device has Public IP ?.

 

when you said remote device you means the cisco router/firewall is behind nat? or the strongwan is behind nat?

 

please do not forget to rate.
0 Helpful

williamdaniel22128924
Level 1
Level 1
In response to Sheraz.Salim

‎09-06-2021 04:08 AM - edited ‎09-06-2021 04:13 AM

We are using cisco ASR 1001,

 

Configuration Strongwan:

 

This device is behind of Nat , exits with public ip 3.x.x.x

 

authby=secret

auto=route

left=172.x.x.x

leftid=172.x.x.x

leftsubnet=172.31.x.x/32

right=185.x.x.x

rightid=185.x.x.x

rightsubnet=172.16.x.x/32

ike=aes256-sha512-modp1536

esp=aes256-sha512

ikelifetime=24h

lifetime=1h

keyingtries=3

closeaction=restart

dpdaction=restart

dpdtimeout=300s

dpddelay=60s

 

configuration cisco asr 1001 

 

PUBLIC IP CISCO 185.x.x.x /32

loopback 10 172.16.x.x /32

 

crypto ikev2 proposal strongwan
encryption aes-cbc-256
integrity sha512
group 5 

 

crypto ikev2 policy POL-STRONGWAN
proposal strongwan

 

crypto ikev2 keyring STRONGWAN
peer STRONGWAN
address 3.x.x.x
pre-shared-key 
!

 

crypto ikev2 profile SITE2-STRONGWAN
match identity remote address 172.x.x.x 255.255.255.255
match identity remote address 3.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local STRONGWAN

crypto ipsec transform-set strongwan esp-aes 256 esp-sha512-hmac
mode tunnel
!
!
!

ip access-list extended STRONGWAN
permit ip host 172.16.x.x host 172.31.x.x


crypto map strongwan 20 ipsec-isakmp
set peer 3.x.x.x
set transform-set strongwan
set ikev2-profile STRONGWAN
match address STRONGWAN

 

What is the problem ? 

 can be this crypto ipsec transform-set strongwan esp-aes 256 esp-sha512-hmac ? the sha512 ?

 

The log strongwan: 

 

authentication of '172.31.x.x' (myself) with pre-shared key

establishing CHILD_SA test{102341}

generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

sending packet: from 172.x.x.x[4500] to 185.x.x.x[4500] (560 bytes)

received packet: from 185.x.x.x[4500] to 172.31.x.x[4500] (208 bytes)

parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]

authentication of '185.x.x.x' with pre-shared key successful

IKE_SA test[59648] established between 172.x.x.x[172.31.x.x]...185.x.x.x[185.x.x.x]

scheduling reauthentication in 85432s

maximum IKE_SA lifetime 85972s

received TS_UNACCEPTABLE notify, no CHILD_SA built

failed to establish CHILD_SA, keeping IKE_SA

establishing connection 'test' failed

 

0 Helpful

williamdaniel22128924
Level 1
Level 1
In response to Sheraz.Salim

‎09-06-2021 04:23 AM

We are using cisco ASR 1001,

 

Configuration Strongwan:

 

This device is behind of Nat , exits with public ip 3.x.x.x

 

authby=secret

auto=route

left=172.x.x.x

leftid=172.x.x.x

leftsubnet=172.31.x.x/32

right=185.x.x.x

rightid=185.x.x.x

rightsubnet=172.16.x.x/32

ike=aes256-sha512-modp1536

esp=aes256-sha512

ikelifetime=24h

lifetime=1h

keyingtries=3

closeaction=restart

dpdaction=restart

dpdtimeout=300s

dpddelay=60s

 

configuration cisco asr 1001 

 

PUBLIC IP CISCO 185.x.x.x /32

loopback 10 172.16.x.x /32

 

crypto ikev2 proposal strongwan
encryption aes-cbc-256
integrity sha512
group 5 

 

crypto ikev2 policy POL-STRONGWAN
proposal strongwan

 

crypto ikev2 keyring STRONGWAN
peer STRONGWAN
address 3.x.x.x
pre-shared-key
!

 

crypto ikev2 profile SITE2-test
match identity remote address 172.x.x.x 255.255.255.255
match identity remote address 3.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local STRONGWAN

crypto ipsec transform-set strongwan esp-aes 256 esp-sha512-hmac
mode tunnel
!
!
!

ip access-list extended STRONGWAN
permit ip host 172.16.x.x host 172.31.x.x


crypto map strongwan 20 ipsec-isakmp
set peer 3.x.x.x
set transform-set strongwan
set ikev2-profile STRONGWAN
match address STRONGWAN

 

What is the problem ? 

 can be this crypto ipsec transform-set strongwan esp-aes 256 esp-sha512-hmac ? the sha512 ?

 

The log strongwan: 

 

authentication of '172.31.x.x' (myself) with pre-shared key

establishing CHILD_SA test{102341}

generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

sending packet: from 172.x.x.x[4500] to 185.x.x.x[4500] (560 bytes)

received packet: from 185.x.x.x[4500] to 172.31.x.x[4500] (208 bytes)

parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]

authentication of '185.x.x.x' with pre-shared key successful

IKE_SA test[59648] established between 172.x.x.x[172.31.x.x]...185.x.x.x[185.x.x.x]

scheduling reauthentication in 85432s

maximum IKE_SA lifetime 85972s

received TS_UNACCEPTABLE notify, no CHILD_SA built

failed to establish CHILD_SA, keeping IKE_SA

establishing connection 'test failed

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to williamdaniel22128924

‎09-06-2021 06:59 AM - edited ‎09-06-2021 07:02 AM

 

 

here have a look on this.

 

parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]
received TS_UNACCEPTABLE notify, no CHILD_SA built

failed to establish CHILD_SA, keeping IKE_SA

This log means that this router he does not like the peer proposed traffic selector

The remote peer sends you an error indicating the left subnet and right subnet parameters are invalid. Verify the settings and-or ask the remote peer logs.

 

 

 

please do not forget to rate.
0 Helpful

williamdaniel22128924
Level 1
Level 1
In response to Sheraz.Salim

‎09-06-2021 08:04 AM

How do I verify if the right subnet and left subnet within the cisco are correct? I do it with the ACL ?.

 

Can you give me an example?

 

The private subnet of strongwan is 172.31.x.x/32

The private subnet of cisco is 172.16.x.x/32 

 

How it would be the conf on cisco ?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to williamdaniel22128924

‎09-06-2021 09:02 AM - edited ‎09-06-2021 09:31 AM

Looking into your Strongswan you configuration should have like this with enabling the nat traversal however I am sure your nat traversal is on as we can see in the logs

sending packet: from 172.x.x.x[4500] to 185.x.x.x[4500] (560 bytes)

received packet: from 185.x.x.x[4500] to 172.31.x.x[4500] (208 bytes)

 

your access-list on the ASR router is good. I have found this link a similar issue you having here might this help you.

 

 

authby=secret
auto=route
left=3.x.x.x
leftid=3.x.x.x
leftsubnet=172.31.x.x/32
right=185.x.x.x
rightid=185.x.x.x
rightsubnet=172.16.x.x/32
ike=aes256-sha512-modp1536
esp=aes256-sha512
ikelifetime=24h
lifetime=1h
keyingtries=3
closeaction=restart
dpdaction=restart
dpdtimeout=300s
dpddelay=60s

The reason I am saying as you have this configured in you ASR config.

crypto map strongwan 20 ipsec-isakmp
set peer 3.x.x.x
set transform-set strongwan
set ikev2-profile STRONGWAN
match address STRONGWAN  

 

please do not forget to rate.
0 Helpful

williamdaniel22128924
Level 1
Level 1
In response to Sheraz.Salim

‎09-06-2021 10:41 AM

Hi, 

 

the strongwan device is behind a nat 

 

left=172.x.x.x -> private ip and then comes out witn a public ip 3.x.x.x and it has a subnet that is 173.31.x.x 

 

cisco is not behind nat, it has public ip 185.x.x.x

 

the tunnel is up but in phase 2  not working 

 

 

 

0 Helpful

williamdaniel22128924
Level 1
Level 1
In response to williamdaniel22128924

‎09-08-2021 01:14 AM

Hi salim,

 

the error seems to be from the strongwan with the subnet

0 Helpful

nagrajk1969
Spotlight
Spotlight

‎09-16-2021 05:13 AM

hi 

 

In the strongswan config, what is the value set in "left=172.x.x.x",?....and what is the exact value set for leftsubnet=?...

 

 

- Please note you are using RFC-1918 ip-subnets on strongswan and NOT public ipaddresses....so there is no need to hide what is the ipaddress given to "left=?" and leftsubnet=?....

- we all use the same subnets in our setups and there is no need for secrecy when you are using private-address space

 

 

0 Helpful
Customers Also Viewed These Support Documents