Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec IKEv2 with two P2 - traffic selectors unacceptable

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 952 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maltehillmann
      last edited by

      Hello!

      I have two pfSense Boxes and trying to connect them via IPsec with IPv4 and IPv6, both.
      I set up IKEv2 P1 on both sides and two P2 on both sides. One for IPv4 and one for IPv6. The IPv4 tunnel works great but IPv6 wont establish a connection.
      The log shows that the traffic selectors are unacceptable. But I dont see the problem. Maybe anyone can help me with that?

      Here are some short log outputs:

      Site A (192.168.0.0/24 & fd00::/112)

      Jan 4 17:19:08	charon		12[CFG] <con1000|4841> proposing traffic selectors for us:
      Jan 4 17:19:08	charon		12[CFG] <con1000|4841> 192.168.0.0/24|/0
      Jan 4 17:19:08	charon		12[CFG] <con1000|4841> fd00::/112|/0
      Jan 4 17:19:08	charon		12[CFG] <con1000|4841> proposing traffic selectors for other:
      Jan 4 17:19:08	charon		12[CFG] <con1000|4841> 192.168.1.0/24|/0
      Jan 4 17:19:08	charon		12[CFG] <con1000|4841> fd00::1:0/112|/0
      Jan 4 17:19:31	charon		15[CFG] <con1000|4841> looking for a child config for 192.168.0.0/24|/0 fd00::/112|/0 === 192.168.1.0/24|/0 fd00::1:0/112|/0
      Jan 4 17:19:31	charon		15[IKE] <con1000|4841> traffic selectors 192.168.0.0/24|/0 fd00::/112|/0 === 192.168.1.0/24|/0 fd00::1:0/112|/0 unacceptable
      

      Site B (192.168.1.0/24 & fd00::1:0/112)

      Jan 4 17:20:25	charon		10[CFG] <con1000|29220> proposing traffic selectors for us:
      Jan 4 17:20:25	charon		10[CFG] <con1000|29220> 192.168.1.0/24|/0
      Jan 4 17:20:25	charon		10[CFG] <con1000|29220> fd00::1:0/112|/0
      Jan 4 17:20:25	charon		10[CFG] <con1000|29220> proposing traffic selectors for other:
      Jan 4 17:20:25	charon		10[CFG] <con1000|29220> 192.168.0.0/24|/0
      Jan 4 17:20:25	charon		10[CFG] <con1000|29220> fd00::/112|/0
      

      Thanks!

      Kind regards
      Malte

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        What do the lines for the network(s) look like in /var/etc/ipsec/ipsec.conf on both sides?

        What does ipsec statusall show on both sides?

        This is probably one of many things fixed by the IPsec swanctl conversion on 2.5.0, but you may not want to make that leap on production systems yet.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.