Child SAs not accepted between 1.3.0-rc5 and 1.4-rolling-202108081830
1.3 configuration:
set interfaces ethernet eth1 address '192.0.2.1/30' set vpn ipsec esp-group grp-ESP compression 'disable' set vpn ipsec esp-group grp-ESP lifetime '28800' set vpn ipsec esp-group grp-ESP mode 'tunnel' set vpn ipsec esp-group grp-ESP pfs 'dh-group19' set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256' set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold' set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30' set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120' set vpn ipsec ike-group grp-IKE ikev2-reauth 'no' set vpn ipsec ike-group grp-IKE key-exchange 'ikev2' set vpn ipsec ike-group grp-IKE lifetime '86400' set vpn ipsec ike-group grp-IKE mobike 'disable' set vpn ipsec ike-group grp-IKE proposal 10 dh-group '19' set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 192.0.2.2 authentication id '192.0.2.1' set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'SSSeeccRetT' set vpn ipsec site-to-site peer 192.0.2.2 authentication remote-id '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate' set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'grp-IKE' set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 esp-group 'grp-ESP' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 local prefix '100.64.1.0/24' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 remote prefix '100.64.2.0/24'
1.4 configuration:
set interfaces ethernet eth1 address '192.0.2.2/30' set vpn ipsec esp-group grp-ESP compression 'disable' set vpn ipsec esp-group grp-ESP lifetime '28800' set vpn ipsec esp-group grp-ESP mode 'tunnel' set vpn ipsec esp-group grp-ESP pfs 'dh-group19' set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256' set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold' set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30' set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120' set vpn ipsec ike-group grp-IKE ikev2-reauth 'no' set vpn ipsec ike-group grp-IKE key-exchange 'ikev2' set vpn ipsec ike-group grp-IKE lifetime '86400' set vpn ipsec ike-group grp-IKE mobike 'disable' set vpn ipsec ike-group grp-IKE proposal 10 dh-group '19' set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 192.0.2.1 authentication id '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SSSeeccRetT' set vpn ipsec site-to-site peer 192.0.2.1 authentication remote-id '192.0.2.1' set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate' set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'grp-IKE' set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 0 esp-group 'grp-ESP' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 0 local prefix '100.64.2.0/24' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 0 remote prefix '100.64.1.0/24'
Logs from 1.3:
Aug 9 11:27:09 r4-1 charon: 05[CFG] <peer-192.0.2.2-tunnel-0|2> received proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Aug 9 11:27:09 r4-1 charon: 05[CFG] <peer-192.0.2.2-tunnel-0|2> configured proposals: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ Aug 9 11:27:09 r4-1 charon: 05[IKE] <peer-192.0.2.2-tunnel-0|2> no acceptable proposal found Aug 9 11:27:09 r4-1 charon: 05[IKE] <peer-192.0.2.2-tunnel-0|2> failed to establish CHILD_SA, keeping IKE_SA Aug 9 11:27:09 r4-1 charon: 05[ENC] <peer-192.0.2.2-tunnel-0|2> generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
Logs from 1.4:
Aug 9 10:28:21 r1-roll charon: 08[IKE] <peer_192-0-2-1|7> failed to establish CHILD_SA, keeping IKE_SA Aug 9 10:28:21 r1-roll charon: 08[ENC] <peer_192-0-2-1|7> generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ] Aug 9 10:28:21 r1-roll charon: 08[NET] <peer_192-0-2-1|7> sending packet: from 192.0.2.2[500] to 192.0.2.1[500] (117 bytes) Aug 9 10:28:22 r1-roll charon: 09[NET] <peer_192-0-2-1|7> received packet: from 192.0.2.1[500] to 192.0.2.2[500] (257 bytes) Aug 9 10:28:22 r1-roll charon: 09[ENC] <peer_192-0-2-1|7> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ] Aug 9 10:28:22 r1-roll charon: 09[CFG] <peer_192-0-2-1|7> received proposals: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ Aug 9 10:28:22 r1-roll charon: 09[CFG] <peer_192-0-2-1|7> configured proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Aug 9 10:28:22 r1-roll charon: 09[IKE] <peer_192-0-2-1|7> no acceptable proposal found
Something wrong with configured proposals.