[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] fortiOS multiple pair of selectors per CHILD_SA
From: Marco Berizzi <pupilla () hotmail ! com>
Date: 2018-09-05 16:17:06
Message-ID: VI1P190MB03178C0108EC14F8D68A1270B2020 () VI1P190MB0317 ! EURP190 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
I have successfully established an ipsec IKEv2 tunnel
with a fortigate 1200D/FortiOS v5.2.4
It is the first device where I'm able to get multiple
pair of selectors per CHILD_SA.
The tricky thing to pay attention, is the comma separated
list sequence, in the remote_ts parameter.
For example, this sequence was rejected by the remote
peer:
remote_ts = 192.168.32.0/24,10.20.29.75/32
with the following error message:
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
instead the following one was working:
remote_ts = 10.20.29.75/32,192.168.32.0/24
Is this the expected behavior by RFC?
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri,Helvetica,sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span>I have successfully established an ipsec IKEv2 tunnel<br>
</span>
<div>with a fortigate 1200D/FortiOS v5.2.4<br>
</div>
<div><br>
</div>
<div>It is the first device where I'm able to get multiple<br>
</div>
<div>pair of selectors per CHILD_SA.<br>
</div>
<div><br>
</div>
<div>The tricky thing to pay attention, is the comma separated<br>
</div>
<div>list sequence, in the remote_ts parameter.<br>
</div>
<div>For example, this sequence was rejected by the remote<br>
</div>
<div>peer:<br>
</div>
<div><br>
</div>
<div>remote_ts = 192.168.32.0/24,10.20.29.75/32<br>
</div>
<div><br>
</div>
<div>with the following error message:<br>
</div>
<div><br>
</div>
<div>[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built<br>
</div>
<div>[IKE] failed to establish CHILD_SA, keeping IKE_SA<br>
</div>
<div><br>
</div>
<div>instead the following one was working:<br>
</div>
<div><br>
</div>
<div>remote_ts = 10.20.29.75/32,192.168.32.0/24<br>
<br>
Is this the expected behavior by RFC?<br>
</div>
<span></span><br>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic