Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FIXED 2.2.1 ALIX <> APU: phase2 get's: traffic selectors inacceptable

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mircsicz
      last edited by

      Never stopped and restarted the connection, after that step it seems to be fine so far…

      Hi all,

      I've setup a tunnel between two sides. One side is run by a APU the other by an older ALIX, both with 2.2.1. The tunnel comes up just fine but I can't get a package through...

      I've got this IPsec-Firewall rule on both sides:

      IPv4 *	*	*	*	*	*	none	 	any <> any 
      

      On IPSec restart the log says:

      Mar 19 11:36:37	charon: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA
      Mar 19 11:36:37	charon: 08[IKE] <con1|2> failed to establish CHILD_SA, keeping IKE_SA
      Mar 19 11:36:37	charon: 08[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
      Mar 19 11:36:37	charon: 08[IKE] <con1|2> received TS_UNACCEPTABLE notify, no CHILD_SA built
      Mar 19 11:36:37	charon: 08[ENC] parsed CREATE_CHILD_SA response 153 [ N(TS_UNACCEPT) ]
      Mar 19 11:36:37	charon: 08[NET] received packet: from REMOTE-IP[4500] to LOCAL-IP[4500] (76 bytes)
      Mar 19 11:36:37	charon: 08[NET] sending packet: from LOCAL-IP[4500] to REMOTE-IP[4500] (412 bytes)
      Mar 19 11:36:37	charon: 08[ENC] generating CREATE_CHILD_SA request 153 [ N(IPCOMP_SUP) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
      Mar 19 11:36:37	charon: 08[IKE] establishing CHILD_SA con1{1}
      Mar 19 11:36:37	charon: 08[IKE] <con1|2> establishing CHILD_SA con1{1}
      Mar 19 11:36:37	charon: 10[KNL] creating acquire job for policy LOCAL-IP/32|/0 === REMOTE-IP/32|/0 with reqid {1}
      Mar 19 11:36:33	charon: 10[ENC] parsed INFORMATIONAL response 152 [ ]
      Mar 19 11:36:33	charon: 10[NET] received packet: from REMOTE-IP[4500] to LOCAL-IP[4500] (76 bytes)
      Mar 19 11:36:33	charon: 12[NET] sending packet: from LOCAL-IP[4500] to REMOTE-IP[4500] (76 bytes)
      Mar 19 11:36:33	charon: 12[ENC] generating INFORMATIONAL request 152 [ ]
      Mar 19 11:36:33	charon: 12[IKE] sending DPD request</con1|2></con1|2></con1|2>
      

      LOCAL Phase1 is:

      LOCAL Phase2 #1 is:

      LOCAL Phase2 #2 is:

      REMOTE Phase1 is:

      REMOTE Phase2 #1 is:

      REMOTE Phase2 #2 is:

      I hope you can help solve the issue

      1 Reply Last reply Reply Quote 0
      • M
        mircsicz
        last edited by

        I just enabled logging and found this:

        Mar 19 13:52:35	charon: 14[IKE] <con1|179> traffic selectors REMOTE-IP/32|/0 10.10.21.0/24|/0 10.10.23.0/24|/0 === LOCAL-IP/32|/0 10.10.10.0/24|/0 inacceptable
        Mar 19 13:52:35	charon: 14[IKE] traffic selectors REMOTE-IP/32|/0 10.10.21.0/24|/0 10.10.23.0/24|/0 === LOCAL-IP/32|/0 10.10.10.0/24|/0 inacceptable
        Mar 19 13:52:35	charon: 14[IKE] <con1|179> failed to establish CHILD_SA, keeping IKE_SA
        Mar 19 13:52:35	charon: 14[IKE] failed to establish CHILD_SA, keeping IKE_SA</con1|179></con1|179>
        

        Could someone please describe why my Phase2 entry's get rejected?

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Because they do not match!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.