Tunnel issue with Pfsense on premise to aws



  • Hello ,
    i have established tunnel from Pfsense on premise to aws Ipsec tunnel the , tunnel working on and off . looking on the Pfsense log i get following message shown below , since i don't have much experience with IPSEC more in OpenVpn cant really understand what is the issue
    Please advice
    Thanks

    Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
    Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> proposing traffic selectors for us:
    Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> 10.13.0.0/16|/0
    Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> proposing traffic selectors for other:
    Dec 17 16:27:10 	charon 		11[CFG] <con10000|6711> 10.109.0.0/16|/0
    Dec 17 16:27:10 	charon 		11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
    Dec 17 16:27:10 	charon 		11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
    Dec 17 16:27:10 	charon 		11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ]
    Dec 17 16:27:10 	charon 		11[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes)
    Dec 17 16:27:13 	charon 		05[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (548 bytes)
    Dec 17 16:27:13 	charon 		05[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ EF(1/2) ]
    Dec 17 16:27:13 	charon 		05[ENC] <con10000|6711> received fragment #1 of 2, waiting for complete IKE message
    Dec 17 16:27:13 	charon 		07[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (164 bytes)
    Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ EF(2/2) ]
    Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> received fragment #2 of 2, reassembled fragmented IKE message (640 bytes)
    Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ SA No KE TSi TSr ]
    Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
    Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> proposing traffic selectors for us:
    Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> 10.13.0.0/16|/0
    Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> proposing traffic selectors for other:
    Dec 17 16:27:13 	charon 		07[CFG] <con10000|6711> 10.109.0.0/16|/0
    Dec 17 16:27:13 	charon 		07[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
    Dec 17 16:27:13 	charon 		07[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
    Dec 17 16:27:13 	charon 		07[ENC] <con10000|6711> generating CREATE_CHILD_SA response 54 [ N(TS_UNACCEPT) ]
    Dec 17 16:27:13 	charon 		07[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes)
    Dec 17 16:27:14 	charon 		07[NET] <con1000|6513> received packet: from 3.xx.1xx.2xx[4500] to x8.xx.xx9.xx8[4500] (92 bytes)
    Dec 17 16:27:14 	charon 		07[ENC] <con1000|6513> parsed INFORMATIONAL_V1 request 1897650484 [ HASH N(DPD) ]
    Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> queueing ISAKMP_DPD task
    Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> activating new tasks
    Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> activating ISAKMP_DPD task
    Dec 17 16:27:14 	charon 		07[ENC] <con1000|6513> generating INFORMATIONAL_V1 request 618492681 [ HASH N(DPD_ACK) ]
    Dec 17 16:27:14 	charon 		07[NET] <con1000|6513> sending packet: from x8.xx.xx9.xx8[4500] to 3.88.153.250[4500] (92 bytes)
    Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> activating new tasks
    Dec 17 16:27:14 	charon 		07[IKE] <con1000|6513> nothing to initiate
    Dec 17 16:27:16 	charon 		13[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (548 bytes)
    Dec 17 16:27:16 	charon 		13[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ EF(1/2) ]
    Dec 17 16:27:16 	charon 		13[ENC] <con10000|6711> received fragment #1 of 2, waiting for complete IKE message
    Dec 17 16:27:16 	charon 		10[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (164 bytes)
    Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ EF(2/2) ]
    Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> received fragment #2 of 2, reassembled fragmented IKE message (640 bytes)
    Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ SA No KE TSi TSr ]
    Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
    Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> proposing traffic selectors for us:
    Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> 10.13.0.0/16|/0
    Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> proposing traffic selectors for other:
    Dec 17 16:27:16 	charon 		10[CFG] <con10000|6711> 10.109.0.0/16|/0
    Dec 17 16:27:16 	charon 		10[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
    Dec 17 16:27:16 	charon 		10[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
    Dec 17 16:27:16 	charon 		10[ENC] <con10000|6711> generating CREATE_CHILD_SA response 55 [ N(TS_UNACCEPT) ]
    Dec 17 16:27:16 	charon 		10[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes) 
    

  • Rebel Alliance Developer Netgate

    @tbaror said in Tunnel issue with Pfsense on premise to aws:

    Dec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
    Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us:
    Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0
    Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other:
    Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0
    Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
    Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
    Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ]

    Looks like the AWS side is set for 10.13.0.0/16 <-> 10.110.0.0/16 but your local config is set for 10.13.0.0/16 <-> 10.109.0.0/16. It doesn't match so that child SA (P2) request is rejected.


Log in to reply