Intermittent Disconnects of IPSEC Tunnel



  • Hi,

    We have a strange occurrence where our IPSEc tunnel disconnects at odd intervals with the following errors:

    Dec 16 09:56:49 charon 05[NET] <con1|159>sending packet: from LocalPublicIP[500] to RemotePublicIP[500] (68 bytes)
    Dec 16 09:56:49 charon 05[ENC] <con1|159>generating CREATE_CHILD_SA response 62 [ N(TS_UNACCEPT) ]
    Dec 16 09:56:49 charon 05[IKE] <con1|159>failed to establish CHILD_SA, keeping IKE_SA
    Dec 16 09:56:49 charon 05[IKE] <con1|159>traffic selectors 10.0.64.1/32|/0[icmp/0] 10.0.64.1/32|/0 === 172.25.48.36/32|/0[icmp/0] 172.25.48.36/32|/0 inacceptable
    Dec 16 09:56:49 charon 05[IKE] <con1|159>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 16 09:56:49 charon 05[ENC] <con1|159>parsed CREATE_CHILD_SA request 62 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Dec 16 09:56:49 charon 05[NET] <con1|159>received packet: from RemotePublicIP[500] to 197.189.240.201[500] (220 bytes)
    Dec 16 09:56:48 charon 11[NET] <con1|159>sending packet: from LocalPublicIP[500] to 41.223.117.209[500] (68 bytes)
    Dec 16 09:56:48 charon 11[ENC] <con1|159>generating CREATE_CHILD_SA response 61 [ N(TS_UNACCEPT) ]
    Dec 16 09:56:48 charon 11[IKE] <con1|159>failed to establish CHILD_SA, keeping IKE_SA

    This just repeats and repeats. To resolve we stop and restart IPSEC and its works fine there after for a random interval. The strange thing is there is another IPSEC connection to a different provider which doesnt drop.

    We are connecting to a: Huawei Firewall from PFSense 2.3.2

    Any ideas why this happens? Apologies if this is a stupid question :)

    Thanks
    Ian</con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159>



  • @IanBZa:

    traffic selectors 10.0.64.1/32|/0[icmp/0] 10.0.64.1/32|/0 === 172.25.48.36/32|/0[icmp/0] 172.25.48.36/32|/0 inacceptable

    To me the above looks like your error.  If those IP addresses are the internal IPs of your firewall then that could be an attempt by the other end to form an additional phase 2.  Anyway in the absence of anything concrete, double check your phase 2 settings at both ends especially network addresses and subnet masks.



  • Thanks Jon - I'll get them to confirm from their end and see if I can spot any misconfigurations.

    As a side note, it hasnt dropped since I posted this message, but there have been no configuration changes - so very strange :)