<![CDATA[GRE+IPsec transport mode with Cisco router]]>Hello everyone,
I am trying to establish tunnel between pfsense 2.6.0 and Cisco router. Using GRE+IPsec ikev2 in transport mode . Phase1 is OK, connection established but phase2 unable to connect. In log there are messages

15[IKE] <con2|352> establishing CHILD_SA con2{25048}
15[ENC] <con2|352> generating CREATE_CHILD_SA request 406 [ N(USE_TRANSP) N(ESP_TFC_PAD_N) SA No TSi TSr ]
15[NET] <con2|352> sending packet: from x.x.x.x[500] to y.y.y.y[500] (224 bytes)
16[NET] <con2|352> received packet: from y.y.y.y[500] to x.x.x.x[500] (80 bytes)
16[ENC] <con2|352> parsed CREATE_CHILD_SA response 406 [ N(TS_UNACCEPT) ]
16[IKE] <con2|352> received TS_UNACCEPTABLE notify, no CHILD_SA built
16[IKE] <con2|352> failed to establish CHILD_SA, keeping IKE_SA
16[CHD] <con2|352> CHILD_SA con2{25048} state change: CREATED => DESTROYING

As far as I understand this means that traffic selector does not match. But in transport mode no traffic selectors can be specified.
What need to be fixed?
Thanks in advance.

]]>https://forum.netgate.com/topic/177535/gre-ipsec-transport-mode-with-cisco-routerRSS for NodeFri, 17 Apr 2026 05:28:34 GMTFri, 03 Feb 2023 14:15:05 GMT60<![CDATA[Reply to GRE+IPsec transport mode with Cisco router on Fri, 03 Feb 2023 18:45:48 GMT]]>Unfortunately I don't have access to Cisco.

]]>https://forum.netgate.com/post/1084015https://forum.netgate.com/post/1084015Fri, 03 Feb 2023 18:45:48 GMT<![CDATA[Reply to GRE+IPsec transport mode with Cisco router on Fri, 03 Feb 2023 16:46:54 GMT]]>You might need to check the logs on the Cisco and see exactly what it's rejecting. All pfSense can see is that Cisco didn't like it, not why.

]]>https://forum.netgate.com/post/1083982https://forum.netgate.com/post/1083982Fri, 03 Feb 2023 16:46:54 GMT