strongSwan - TS_UNACCEPTABLE unacceptable transfer selector error

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



strongSwan - TS_UNACCEPTABLE unacceptable transfer selector error



I have a server behind static IP address 135.61.29.123. And it has LAN ip address as below.


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UNKNOWN group default qlen 1000
link/ether 00:16:3e:0a:ea:4c brd ff:ff:ff:ff:ff:ff
inet 172.18.227.8/20 brd 172.18.239.255 scope global dynamic eth0
valid_lft 314748113sec preferred_lft 314748113sec
inet6 fe80::216:3eff:fe0a:ea4c/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:80:a9:46:70 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:80ff:fea9:4670/64 scope link
valid_lft forever preferred_lft forever



I am following the roadwarrior example to setup a VPN client to connect to this server, so that I can access 172.18.227.8 directly.



StrongSwan version 5.5.1



Configuration



Here is /etc/swanctl/swanctl.conf on the server side


connections
rw
local
auth = pubkey
certs = serverCert.pem
id = 135.61.29.123

remote
auth = pubkey

children
net-net
local_ts = 172.18.227.8/20






Here is /etc/swanctl/swanctl.conf on the client side


connections
home
remote_addrs = 135.61.29.123

local
auth = pubkey
certs = clientCert.pem
id = carol@strongswan.org

remote
auth = pubkey
id = 135.61.29.123

children
home
local_ts = 172.18.227.8/20
start_action = start






Logs



Here are the logs from server side


12[NET] received packet: from 175.10.39.196[500] to 172.18.227.8[500] (936 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
12[IKE] 175.10.39.196 is initiating an IKE_SA
12[IKE] local host is behind NAT, sending keep alives
12[IKE] remote host is behind NAT
12[IKE] sending cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
12[NET] sending packet: from 172.18.227.8[500] to 175.10.39.196[500] (297 bytes)
10[NET] received packet: from 175.10.39.196[4500] to 172.18.227.8[4500] (1236 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
10[ENC] received fragment #1 of 2, waiting for complete IKE message
10[NET] received packet: from 175.10.39.196[4500] to 172.18.227.8[4500] (308 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
10[ENC] received fragment #2 of 2, reassembling fragmented IKE message
10[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
10[IKE] received cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
10[IKE] received end entity cert "C=CN, O=StrongSwan, CN=carol@strongswan.org"
10[CFG] looking for peer configs matching 172.18.227.8[135.61.29.123]...175.10.39.196[carol@strongswan.org]
10[CFG] selected peer config 'rw'
10[CFG] using trusted ca certificate "C=CN, O=StrongSwan, CN=strongswan.org"
10[CFG] checking certificate status of "C=CN, O=StrongSwan, CN=carol@strongswan.org"
10[CFG] certificate status is not available
10[CFG] reached self-signed root ca with a path length of 0
10[CFG] using trusted certificate "C=CN, O=StrongSwan, CN=carol@strongswan.org"
10[IKE] authentication of 'carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] peer supports MOBIKE
10[IKE] authentication of '135.61.29.123' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] IKE_SA rw[1] established between 172.18.227.8[135.61.29.123]...175.10.39.196[carol@strongswan.org]
10[IKE] scheduling rekeying in 13146s
10[IKE] maximum IKE_SA lifetime 14586s
10[IKE] sending end entity cert "C=CN, O=StrongSwan, CN=135.61.29.123"
10[IKE] traffic selectors 135.61.29.123/32 === 172.18.224.0/20 inacceptable
10[IKE] failed to establish CHILD_SA, keeping IKE_SA
10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
10[NET] sending packet: from 172.18.227.8[4500] to 175.10.39.196[4500] (1248 bytes)
05[IKE] sending keep alive to 175.10.39.196[4500]
08[IKE] sending keep alive to 175.10.39.196[4500]
10[IKE] sending keep alive to 175.10.39.196[4500]
09[IKE] sending keep alive to 175.10.39.196[4500]
13[IKE] sending keep alive to 175.10.39.196[4500]



Here are the logs from client side


08[CFG] loaded certificate 'C=CN, O=StrongSwan, CN=carol@strongswan.org'
12[CFG] loaded certificate 'C=CN, O=StrongSwan, CN=135.61.29.123'
05[CFG] loaded certificate 'C=CN, O=StrongSwan, CN=strongswan.org'
10[CFG] loaded RSA private key
05[CFG] loaded RSA private key
12[CFG] loaded RSA private key
16[CFG] added vici connection: home
16[CFG] initiating 'home'
16[IKE] initiating IKE_SA home[1] to 135.61.29.123
16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16[NET] sending packet: from 192.168.2.104[500] to 135.61.29.123[500] (936 bytes)
14[NET] received packet: from 135.61.29.123[500] to 192.168.2.104[500] (297 bytes)
14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] received cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
14[IKE] sending cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
14[IKE] authentication of 'carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
14[IKE] sending end entity cert "C=CN, O=StrongSwan, CN=carol@strongswan.org"
14[IKE] establishing CHILD_SA home
14[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
14[ENC] splitting IKE message with length of 1472 bytes into 2 fragments
14[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
14[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
14[NET] sending packet: from 192.168.2.104[4500] to 135.61.29.123[4500] (1236 bytes)
14[NET] sending packet: from 192.168.2.104[4500] to 135.61.29.123[4500] (308 bytes)
08[NET] received packet: from 135.61.29.123[4500] to 192.168.2.104[4500] (1248 bytes)
08[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
08[IKE] received end entity cert "C=CN, O=StrongSwan, CN=135.61.29.123"
08[CFG] using trusted ca certificate "C=CN, O=StrongSwan, CN=strongswan.org"
08[CFG] checking certificate status of "C=CN, O=StrongSwan, CN=135.61.29.123"
08[CFG] certificate status is not available
08[CFG] reached self-signed root ca with a path length of 0
08[CFG] using trusted certificate "C=CN, O=StrongSwan, CN=135.61.29.123"
08[IKE] authentication of '135.61.29.123' with RSA_EMSA_PKCS1_SHA2_256 successful
08[IKE] IKE_SA home[1] established between 192.168.2.104[carol@strongswan.org]...135.61.29.123[135.61.29.123]
08[IKE] scheduling rekeying in 14287s
08[IKE] maximum IKE_SA lifetime 15727s
08[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
08[IKE] failed to establish CHILD_SA, keeping IKE_SA
08[IKE] peer supports MOBIKE
11[IKE] sending keep alive to 135.61.29.123[4500]
10[IKE] sending keep alive to 135.61.29.123[4500]
07[IKE] sending keep alive to 135.61.29.123[4500]
08[IKE] sending keep alive to 135.61.29.123[4500]



As you can see from logs above, the connection is established and even both sides send keep alive packet. But TS_UNACCEPTABLE error occurs and I can't access 172.18.227.8 from the client side.



What's the problem? Thank you









By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

make 2 or more post in bootsrap

Image
Clash Royale CLAN TAG #URR8PPP make 2 or more post in bootsrap I am making a CMS and I want to add two or more content post in every row, I can made one post in one columns, please see my code below. I am using PHP , HTML and bootstrap . CMS PHP HTML bootstrap How can I add two or more content post in every row? Code: <div class="container"> <div class="row"> <!-- Post Content Column --> <div class="col-lg-4 border border-dark rounded"> <?php $query = "SELECT * FROM POSTS"; $run_query_post = mysqli_query($connection, $query); while ($row = mysqli_fetch_assoc($run_query_post)) $post_id = $row['post_id']; $post_title = $row['post_title']; $post_author = $row['post_author']; $post_date = $row['post_date']; $post_image = $row['post_image']; $post_content = substr($row['post_content'], 0, 50); $post_status = $row['post_status']; if ($post_status !=...
Read more

Store custom data using WC_Cart add_to_cart() method in Woocommerce 3

Image
Clash Royale CLAN TAG #URR8PPP Store custom data using WC_Cart add_to_cart() method in Woocommerce 3 I am creating a membership site and totally created static pages for each Membership plans (have only 3 plans). However, I have added products for each plan and when I hit SELECT PLAN button I redirect to some custom form where I ask users range of info we are going to use to fulfil the plan (same as sneakertub.com). I have written code into the PHP page which will handle SUBMIT action of the form. This PHP file, infopage.php , will process POST data I sent via POST call and stores these all data into WC session. infopage.php $customer_name = $_POST["customer_name"]; $customer_email = $_POST["customer_email"]; $customer_sex = $_POST["customer_sex"]; $customer_age = $_POST["customer_age"]; $product_id = $_POST["product_id"]; global $wp_session; $data = array( 'customer_name' => $customer_name, 'customer_email' =...
Read more

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas...
Read more