Tunnel issue with Pfsense on premise to aws
-
Hello ,
i have established tunnel from Pfsense on premise to aws Ipsec tunnel the , tunnel working on and off . looking on the Pfsense log i get following message shown below , since i don't have much experience with IPSEC more in OpenVpn cant really understand what is the issue
Please advice
ThanksDec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0 Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ] Dec 17 16:27:10 charon 11[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes) Dec 17 16:27:13 charon 05[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (548 bytes) Dec 17 16:27:13 charon 05[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ EF(1/2) ] Dec 17 16:27:13 charon 05[ENC] <con10000|6711> received fragment #1 of 2, waiting for complete IKE message Dec 17 16:27:13 charon 07[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (164 bytes) Dec 17 16:27:13 charon 07[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ EF(2/2) ] Dec 17 16:27:13 charon 07[ENC] <con10000|6711> received fragment #2 of 2, reassembled fragmented IKE message (640 bytes) Dec 17 16:27:13 charon 07[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 54 [ SA No KE TSi TSr ] Dec 17 16:27:13 charon 07[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0 Dec 17 16:27:13 charon 07[CFG] <con10000|6711> proposing traffic selectors for us: Dec 17 16:27:13 charon 07[CFG] <con10000|6711> 10.13.0.0/16|/0 Dec 17 16:27:13 charon 07[CFG] <con10000|6711> proposing traffic selectors for other: Dec 17 16:27:13 charon 07[CFG] <con10000|6711> 10.109.0.0/16|/0 Dec 17 16:27:13 charon 07[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable Dec 17 16:27:13 charon 07[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA Dec 17 16:27:13 charon 07[ENC] <con10000|6711> generating CREATE_CHILD_SA response 54 [ N(TS_UNACCEPT) ] Dec 17 16:27:13 charon 07[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes) Dec 17 16:27:14 charon 07[NET] <con1000|6513> received packet: from 3.xx.1xx.2xx[4500] to x8.xx.xx9.xx8[4500] (92 bytes) Dec 17 16:27:14 charon 07[ENC] <con1000|6513> parsed INFORMATIONAL_V1 request 1897650484 [ HASH N(DPD) ] Dec 17 16:27:14 charon 07[IKE] <con1000|6513> queueing ISAKMP_DPD task Dec 17 16:27:14 charon 07[IKE] <con1000|6513> activating new tasks Dec 17 16:27:14 charon 07[IKE] <con1000|6513> activating ISAKMP_DPD task Dec 17 16:27:14 charon 07[ENC] <con1000|6513> generating INFORMATIONAL_V1 request 618492681 [ HASH N(DPD_ACK) ] Dec 17 16:27:14 charon 07[NET] <con1000|6513> sending packet: from x8.xx.xx9.xx8[4500] to 3.88.153.250[4500] (92 bytes) Dec 17 16:27:14 charon 07[IKE] <con1000|6513> activating new tasks Dec 17 16:27:14 charon 07[IKE] <con1000|6513> nothing to initiate Dec 17 16:27:16 charon 13[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (548 bytes) Dec 17 16:27:16 charon 13[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ EF(1/2) ] Dec 17 16:27:16 charon 13[ENC] <con10000|6711> received fragment #1 of 2, waiting for complete IKE message Dec 17 16:27:16 charon 10[NET] <con10000|6711> received packet: from 3x.2xx.x.1xx[500] to 2xx.x6.1xx.xxx[500] (164 bytes) Dec 17 16:27:16 charon 10[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ EF(2/2) ] Dec 17 16:27:16 charon 10[ENC] <con10000|6711> received fragment #2 of 2, reassembled fragmented IKE message (640 bytes) Dec 17 16:27:16 charon 10[ENC] <con10000|6711> parsed CREATE_CHILD_SA request 55 [ SA No KE TSi TSr ] Dec 17 16:27:16 charon 10[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0 Dec 17 16:27:16 charon 10[CFG] <con10000|6711> proposing traffic selectors for us: Dec 17 16:27:16 charon 10[CFG] <con10000|6711> 10.13.0.0/16|/0 Dec 17 16:27:16 charon 10[CFG] <con10000|6711> proposing traffic selectors for other: Dec 17 16:27:16 charon 10[CFG] <con10000|6711> 10.109.0.0/16|/0 Dec 17 16:27:16 charon 10[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable Dec 17 16:27:16 charon 10[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA Dec 17 16:27:16 charon 10[ENC] <con10000|6711> generating CREATE_CHILD_SA response 55 [ N(TS_UNACCEPT) ] Dec 17 16:27:16 charon 10[NET] <con10000|6711> sending packet: from 2xx.x6.1xx.xxx[500] to 3x.2xx.x.1xx[500] (80 bytes)
-
@tbaror said in Tunnel issue with Pfsense on premise to aws:
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us:
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other:
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0
Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ]Looks like the AWS side is set for
10.13.0.0/16 <-> 10.110.0.0/16
but your local config is set for10.13.0.0/16 <-> 10.109.0.0/16
. It doesn't match so that child SA (P2) request is rejected.