IPsec IKEv2 with two P2 - traffic selectors unacceptable



  • Hello!

    I have two pfSense Boxes and trying to connect them via IPsec with IPv4 and IPv6, both.
    I set up IKEv2 P1 on both sides and two P2 on both sides. One for IPv4 and one for IPv6. The IPv4 tunnel works great but IPv6 wont establish a connection.
    The log shows that the traffic selectors are unacceptable. But I dont see the problem. Maybe anyone can help me with that?

    Here are some short log outputs:

    Site A (192.168.0.0/24 & fd00::/112)

    Jan 4 17:19:08	charon		12[CFG] <con1000|4841> proposing traffic selectors for us:
    Jan 4 17:19:08	charon		12[CFG] <con1000|4841> 192.168.0.0/24|/0
    Jan 4 17:19:08	charon		12[CFG] <con1000|4841> fd00::/112|/0
    Jan 4 17:19:08	charon		12[CFG] <con1000|4841> proposing traffic selectors for other:
    Jan 4 17:19:08	charon		12[CFG] <con1000|4841> 192.168.1.0/24|/0
    Jan 4 17:19:08	charon		12[CFG] <con1000|4841> fd00::1:0/112|/0
    Jan 4 17:19:31	charon		15[CFG] <con1000|4841> looking for a child config for 192.168.0.0/24|/0 fd00::/112|/0 === 192.168.1.0/24|/0 fd00::1:0/112|/0
    Jan 4 17:19:31	charon		15[IKE] <con1000|4841> traffic selectors 192.168.0.0/24|/0 fd00::/112|/0 === 192.168.1.0/24|/0 fd00::1:0/112|/0 unacceptable
    

    Site B (192.168.1.0/24 & fd00::1:0/112)

    Jan 4 17:20:25	charon		10[CFG] <con1000|29220> proposing traffic selectors for us:
    Jan 4 17:20:25	charon		10[CFG] <con1000|29220> 192.168.1.0/24|/0
    Jan 4 17:20:25	charon		10[CFG] <con1000|29220> fd00::1:0/112|/0
    Jan 4 17:20:25	charon		10[CFG] <con1000|29220> proposing traffic selectors for other:
    Jan 4 17:20:25	charon		10[CFG] <con1000|29220> 192.168.0.0/24|/0
    Jan 4 17:20:25	charon		10[CFG] <con1000|29220> fd00::/112|/0
    

    Thanks!

    Kind regards
    Malte


  • Rebel Alliance Developer Netgate

    What do the lines for the network(s) look like in /var/etc/ipsec/ipsec.conf on both sides?

    What does ipsec statusall show on both sides?

    This is probably one of many things fixed by the IPsec swanctl conversion on 2.5.0, but you may not want to make that leap on production systems yet.


Log in to reply