Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel issue with Pfsense on premise to aws

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tbaror
      last edited by tbaror

      Hello ,
      i have established tunnel from Pfsense on premise to aws Ipsec tunnel the , tunnel working on and off . looking on the Pfsense log i get following message shown below , since i don't have much experience with IPSEC more in OpenVpn cant really understand what is the issue
      Please advice
      Thanks

      Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> proposing traffic selectors for us:
Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> 10.13.0.0/16|/0
Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> proposing traffic selectors for other:
Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> 10.109.0.0/16|/0
Dec 17 16:27:10 	charon 		11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
Dec 17 16:27:10 	charon 		11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
Dec 17 16:27:10 	charon 		11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ]
Dec 17 16:27:10 	charon 		11[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes)
Dec 17 16:27:13 	charon 		05[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (548 bytes)
Dec 17 16:27:13 	charon 		05[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ EF(1/2) ]
Dec 17 16:27:13 	charon 		05[ENC] <con10000|6711> received fragment #1 of 2, waiting for complete IKE message
Dec 17 16:27:13 	charon 		07[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (164 bytes)
Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ EF(2/2) ]
Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> received fragment #2 of 2, reassembled fragmented IKE message (640 bytes)
Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ SA No KE TSi TSr ]
Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> proposing traffic selectors for us:
Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> 10.13.0.0/16|/0
Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> proposing traffic selectors for other:
Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> 10.109.0.0/16|/0
Dec 17 16:27:13 	charon 		07[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
Dec 17 16:27:13 	charon 		07[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> generating CREATE_CHILD_SA response 54 [ N(TS_UNACCEPT) ]
Dec 17 16:27:13 	charon 		07[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes)
Dec 17 16:27:14 	charon 		07[NET] <con1000|6513> received packet: from 3.xx.1xx.2xx[4500] to x8.xx.xx9.xx8[4500] (92 bytes)
Dec 17 16:27:14 	charon 		07[ENC] <con1000|6513> parsed INFORMATIONAL_V1 request 1897650484 [ HASH N(DPD) ]
Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> queueing ISAKMP_DPD task
Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> activating new tasks
Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> activating ISAKMP_DPD task
Dec 17 16:27:14 	charon 		07[ENC] <con1000|6513> generating INFORMATIONAL_V1 request 618492681 [ HASH N(DPD_ACK) ]
Dec 17 16:27:14 	charon 		07[NET] <con1000|6513> sending packet: from x8.xx.xx9.xx8[4500] to 3.88.153.250[4500] (92 bytes)
Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> activating new tasks
Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> nothing to initiate
Dec 17 16:27:16 	charon 		13[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (548 bytes)
Dec 17 16:27:16 	charon 		13[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ EF(1/2) ]
Dec 17 16:27:16 	charon 		13[ENC] <con10000|6711> received fragment #1 of 2, waiting for complete IKE message
Dec 17 16:27:16 	charon 		10[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (164 bytes)
Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ EF(2/2) ]
Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> received fragment #2 of 2, reassembled fragmented IKE message (640 bytes)
Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ SA No KE TSi TSr ]
Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> proposing traffic selectors for us:
Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> 10.13.0.0/16|/0
Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> proposing traffic selectors for other:
Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> 10.109.0.0/16|/0
Dec 17 16:27:16 	charon 		10[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
Dec 17 16:27:16 	charon 		10[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> generating CREATE_CHILD_SA response 55 [ N(TS_UNACCEPT) ]
Dec 17 16:27:16 	charon 		10[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes)
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        @tbaror said in Tunnel issue with Pfsense on premise to aws:

        Dec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
        Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us:
        Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0
        Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other:
        Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0
        Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
        Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
        Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ]

        Looks like the AWS side is set for 10.13.0.0/16 <-> 10.110.0.0/16 but your local config is set for 10.13.0.0/16 <-> 10.109.0.0/16. It doesn't match so that child SA (P2) request is rejected.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.