IPsec IKEv2 with two P2 - traffic selectors unacceptable
-
Hello!
I have two pfSense Boxes and trying to connect them via IPsec with IPv4 and IPv6, both.
I set up IKEv2 P1 on both sides and two P2 on both sides. One for IPv4 and one for IPv6. The IPv4 tunnel works great but IPv6 wont establish a connection.
The log shows that the traffic selectors are unacceptable. But I dont see the problem. Maybe anyone can help me with that?Here are some short log outputs:
Site A (192.168.0.0/24 & fd00::/112)
Jan 4 17:19:08 charon 12[CFG] <con1000|4841> proposing traffic selectors for us: Jan 4 17:19:08 charon 12[CFG] <con1000|4841> 192.168.0.0/24|/0 Jan 4 17:19:08 charon 12[CFG] <con1000|4841> fd00::/112|/0 Jan 4 17:19:08 charon 12[CFG] <con1000|4841> proposing traffic selectors for other: Jan 4 17:19:08 charon 12[CFG] <con1000|4841> 192.168.1.0/24|/0 Jan 4 17:19:08 charon 12[CFG] <con1000|4841> fd00::1:0/112|/0 Jan 4 17:19:31 charon 15[CFG] <con1000|4841> looking for a child config for 192.168.0.0/24|/0 fd00::/112|/0 === 192.168.1.0/24|/0 fd00::1:0/112|/0 Jan 4 17:19:31 charon 15[IKE] <con1000|4841> traffic selectors 192.168.0.0/24|/0 fd00::/112|/0 === 192.168.1.0/24|/0 fd00::1:0/112|/0 unacceptable
Site B (192.168.1.0/24 & fd00::1:0/112)
Jan 4 17:20:25 charon 10[CFG] <con1000|29220> proposing traffic selectors for us: Jan 4 17:20:25 charon 10[CFG] <con1000|29220> 192.168.1.0/24|/0 Jan 4 17:20:25 charon 10[CFG] <con1000|29220> fd00::1:0/112|/0 Jan 4 17:20:25 charon 10[CFG] <con1000|29220> proposing traffic selectors for other: Jan 4 17:20:25 charon 10[CFG] <con1000|29220> 192.168.0.0/24|/0 Jan 4 17:20:25 charon 10[CFG] <con1000|29220> fd00::/112|/0
Thanks!
Kind regards
Malte -
What do the lines for the network(s) look like in
/var/etc/ipsec/ipsec.conf
on both sides?What does
ipsec statusall
show on both sides?This is probably one of many things fixed by the IPsec swanctl conversion on 2.5.0, but you may not want to make that leap on production systems yet.