TS_UNACCEPT on modern CENTOS

ts_unaccept

SOLVED: there was an old type=transport statement leftover on the initiator, Thermi++


Strongswan rw to strongswan responder

I *think* this problem is on the responder side.  I've tried all sorts of
little alterations and tweaks and still get a TS_UNACCEPT which appear in 
the logs to be due to no selectors for the remote being present in the
configuration at the point when selectors are narrowed.

15[IKE] assigning virtual IP XXX.XXX.247.193 to peer 'XXXX@XXXXXXX.XXX'
15[CFG] looking for a child config for 0.0.0.0/0 === 0.0.0.0/0
15[CFG] proposing traffic selectors for us:
15[CFG]  XXX.XXX.1.0/24
15[CFG] proposing traffic selectors for other:
15[CFG]  XXX.XXX.247.193/32
15[CFG]   candidate "ipv4" with prio 1+1
15[CFG] found matching child config "ipv4" with prio 2
15[CFG] selecting proposal:
15[CFG]   proposal matches
15[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/EXT_SEQ
15[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/EXT_SEQ
15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/EXT_SEQ
15[KNL] sending [snip]
15[KNL] received [snip]
15[KNL] got SPI c37eea2c
15[CFG] selecting traffic selectors for us:
15[CFG]  config: XXX.XXX.1.0/24, received: 0.0.0.0/0 => match: XXX.XXX.1.0/24
15[CFG] selecting traffic selectors for other:
15[IKE] no acceptable traffic selectors found
15[IKE] failed to establish CHILD_SA, keeping IKE_SA

...and I take the nonpresence of any config: line after
"selecting traffic selectors for other:"
to mean the config considers itself to be empty, despite having
made a proposal with the vip -- though maybe it means no TSi was
received.  [ENC] debugs prove to not be useful for figuring that out.

responder is 5.4.0-2.el7 on CENTOS 7.2

config is swanctl-based:

    swan {
        version = 2
        local_addrs = XXX.XXX.255.64
        local_port = 500
        remote_port = 500
        proposals = aes256-sha256-prfsha256-modp4096
        aggressive = no
        pull = yes
        encap = no
        mobike = no
        fragmentation = yes
        send_certreq = no
        send_cert = always
        keyingtries = 3
        pools = its

        local {
            id = vpn-strongswan.YYY.YYY
            auth = pubkey
            certs = entrust_root.crt,entrust_i1.crt,entrust_i2.crt,vpn.YYY.YYY.crt
        }

        remote {
            id = %any
            auth = eap-radius
        }

        unique = no
        reauth_time = 24h
        rekey_time = 4h

       children {

            ipv4 {
                esp_proposals = aes256-sha256-modp4096-esn
                local_ts = XXX.XXX.1.0/24

                rekey_time = 1h
                mode = tunnel
                policies = yes
                dpd_action = clear
                ipcomp = no
                inactivity = 12h
                tfc_padding = 512
                replay_window = 32
        }}}

pools { its {
        addrs = XXX.XXX.247.192/26
    }
}


initiator config (ipsec.conf style)
conn testvpn
        keyexchange=ikev2
#        left=%any
        leftid=XXXXXX@XXXXX.XXXX
        leftauth=eap-mschapv2
#        leftauth=psk
        leftsourceip=%config4
        leftsubnet=%dynamic
        esp=aes256-sha256-modp4096-esn!
        ike=aes256-sha256-prfsha256-modp4096!
        rekey=yes
        keyingtries=3
        keylife=1200s
        rekeymargin=9m
        rekeyfuzz=20%
        type=transport
        right=vpn-strongswan.XXXX.XXX
        rightid=vpn-strongswan.XXXX.XXX
        rightsendcert=never
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
#        rightsubnet=XXX.XXX.0.0/16,10.0.0.0/8
        auto=add

it's helpful for me , thanks!