GRE+IPsec transport mode with Cisco router

ps0 · Feb 3, 2023, 2:15 PM

Hello everyone,
I am trying to establish tunnel between pfsense 2.6.0 and Cisco router. Using GRE+IPsec ikev2 in transport mode . Phase1 is OK, connection established but phase2 unable to connect. In log there are messages

15[IKE] <con2|352> establishing CHILD_SA con2{25048}
15[ENC] <con2|352> generating CREATE_CHILD_SA request 406 [ N(USE_TRANSP) N(ESP_TFC_PAD_N) SA No TSi TSr ]
15[NET] <con2|352> sending packet: from x.x.x.x[500] to y.y.y.y[500] (224 bytes)
16[NET] <con2|352> received packet: from y.y.y.y[500] to x.x.x.x[500] (80 bytes)
16[ENC] <con2|352> parsed CREATE_CHILD_SA response 406 [ N(TS_UNACCEPT) ]
16[IKE] <con2|352> received TS_UNACCEPTABLE notify, no CHILD_SA built
16[IKE] <con2|352> failed to establish CHILD_SA, keeping IKE_SA
16[CHD] <con2|352> CHILD_SA con2{25048} state change: CREATED => DESTROYING

As far as I understand this means that traffic selector does not match. But in transport mode no traffic selectors can be specified.
What need to be fixed?
Thanks in advance.

jimp · Feb 3, 2023, 4:46 PM

You might need to check the logs on the Cisco and see exactly what it's rejecting. All pfSense can see is that Cisco didn't like it, not why.

ps0 · Feb 3, 2023, 6:45 PM

Unfortunately I don't have access to Cisco.