I have a server hosted on ip <server_ip>
I have a personal computer at home, behind a router. The box public ip is <router_ip>. The client has a local ip on the router's subnet which is called <local_ip>.
Server is on ubuntu 18.04, local computer is on ubuntu 20.04. Each are up-to-date and installed strongswan using the following command
apt install strongswan strongswan-swanctl
Server got strongswan 5.6.2
Client got Strongswan 5.8.2
I created a CA, serv and enduser crt, using following commands with package strongswan-pki
ipsec pki --gen --outform pem > ca.key
ipsec pki –self --in ca.key –dn “C=FR, O=Test, CN=Test CA” –ca –outform pe > ca.crt
ipsec pki --self --in ca.key --dn "C=FR,O=Test,CN=Test CA" --ca --outform pem > ca.crt
ipsec pki --gen --outform pem > serv.key
ipsec pki --issue --in serv.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=serv" --san serv --outform pem > serv.crt
ipsec pki --gen --outform pem > enduser.key
ipsec pki --issue --in enduser.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=enduser" --san enduser --outform pem > enduser.crt
I modified nothing except /etc/swanctl/swanctl.conf on both sides
Server /etc/swanctl/swanctl.conf
connections {
server {
local {
auth = pubkey
certs = serv.crt
id = "serv"
}
remote {
auth = pubkey
id = "enduser"
}
children {
host {
start_action = trap
}
}
}
}
Client /etc/swanctl/swanctl.conf
connections {
client-server {
remote_addrs = <server_ip>
local {
auth = pubkey
certs = enduser.crt
id = "enduser"
}
remote {
auth = pubkey
id = "serv"
}
children {
to-host {
start_action = trap
}
}
}
}
On server, I put certificates on the following places
/etc/swanctl/x509/serv.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/serv.key
On client, I got those certificates
/etc/swanctl/x509/enduser.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/enduser.key
Then I use the following command on both server and client
swanctl --load-conns && swanctl --load-creds
and on the client
swanctl --initiate --child to-host
But it fails with the following error on client side
[IKE] establishing CHILD_SA to-host{7}
[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
[NET] sending packet: from <local_ip>[4500] to <server_ip>[4500] (256 bytes)
[NET] received packet: from <server_ip>[4500] to <local_ip>[4500] (80 bytes)
[ENC] parsed CREATE_CHILD_SA response 3 [ N(TS_UNACCEPT) ]
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
Server side logs (using swanctl -T) are below
08[IKE] traffic selectors <server_ip>/32[tcp/ssh] <server_ip>/32 === <local_ip>/32[tcp/55592] <local_ip>/32 inacceptable
08[IKE] failed to establish CHILD_SA, keeping IKE_SA
08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
08[NET] sending packet: from <server_ip>[4500] to <routeur_ip>[59527] (1184 bytes)
16[NET] received packet: from 86.234.97.45[59527] to <server_ip>[4500] (256 bytes)
16[ENC] parsed CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
16[IKE] traffic selectors <server_ip>/32 === <local_ip>/32 inacceptable
Can anyone explain to me what I did wrong ? As I thought TS should be automatically negociated
Best Answer
So, thanks to ecdsa I got the answer.
I had to add a remote_ts on server
swanctl.conffile.So now the server
swanctl.confis as belowBut to be honest, I don't know how it was fixed. I rode https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal and https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp but i'm not 100% sure what I did. I believe It's because the server don't naturally know how to address data to client (because client asks from public ip but wants answer with his local ip) and we have to force him to do as we want. But I'm not sure. Is there any documentation that can help me understanding the concepts inherent to traffic selectors ?