FIXED 2.2.1 ALIX <> APU: phase2 get's: traffic selectors inacceptable
-
Never stopped and restarted the connection, after that step it seems to be fine so far…
Hi all,
I've setup a tunnel between two sides. One side is run by a APU the other by an older ALIX, both with 2.2.1. The tunnel comes up just fine but I can't get a package through...
I've got this IPsec-Firewall rule on both sides:
IPv4 * * * * * * none any <> any
On IPSec restart the log says:
Mar 19 11:36:37 charon: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA Mar 19 11:36:37 charon: 08[IKE] <con1|2> failed to establish CHILD_SA, keeping IKE_SA Mar 19 11:36:37 charon: 08[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built Mar 19 11:36:37 charon: 08[IKE] <con1|2> received TS_UNACCEPTABLE notify, no CHILD_SA built Mar 19 11:36:37 charon: 08[ENC] parsed CREATE_CHILD_SA response 153 [ N(TS_UNACCEPT) ] Mar 19 11:36:37 charon: 08[NET] received packet: from REMOTE-IP[4500] to LOCAL-IP[4500] (76 bytes) Mar 19 11:36:37 charon: 08[NET] sending packet: from LOCAL-IP[4500] to REMOTE-IP[4500] (412 bytes) Mar 19 11:36:37 charon: 08[ENC] generating CREATE_CHILD_SA request 153 [ N(IPCOMP_SUP) N(ESP_TFC_PAD_N) SA No KE TSi TSr ] Mar 19 11:36:37 charon: 08[IKE] establishing CHILD_SA con1{1} Mar 19 11:36:37 charon: 08[IKE] <con1|2> establishing CHILD_SA con1{1} Mar 19 11:36:37 charon: 10[KNL] creating acquire job for policy LOCAL-IP/32|/0 === REMOTE-IP/32|/0 with reqid {1} Mar 19 11:36:33 charon: 10[ENC] parsed INFORMATIONAL response 152 [ ] Mar 19 11:36:33 charon: 10[NET] received packet: from REMOTE-IP[4500] to LOCAL-IP[4500] (76 bytes) Mar 19 11:36:33 charon: 12[NET] sending packet: from LOCAL-IP[4500] to REMOTE-IP[4500] (76 bytes) Mar 19 11:36:33 charon: 12[ENC] generating INFORMATIONAL request 152 [ ] Mar 19 11:36:33 charon: 12[IKE] sending DPD request</con1|2></con1|2></con1|2>
LOCAL Phase1 is:
LOCAL Phase2 #1 is:
LOCAL Phase2 #2 is:
REMOTE Phase1 is:
REMOTE Phase2 #1 is:
REMOTE Phase2 #2 is:
I hope you can help solve the issue
-
I just enabled logging and found this:
Mar 19 13:52:35 charon: 14[IKE] <con1|179> traffic selectors REMOTE-IP/32|/0 10.10.21.0/24|/0 10.10.23.0/24|/0 === LOCAL-IP/32|/0 10.10.10.0/24|/0 inacceptable Mar 19 13:52:35 charon: 14[IKE] traffic selectors REMOTE-IP/32|/0 10.10.21.0/24|/0 10.10.23.0/24|/0 === LOCAL-IP/32|/0 10.10.10.0/24|/0 inacceptable Mar 19 13:52:35 charon: 14[IKE] <con1|179> failed to establish CHILD_SA, keeping IKE_SA Mar 19 13:52:35 charon: 14[IKE] failed to establish CHILD_SA, keeping IKE_SA</con1|179></con1|179>
Could someone please describe why my Phase2 entry's get rejected?
-
Because they do not match!