FIXED 2.2.1 ALIX <> APU: phase2 get's: traffic selectors inacceptable



  • Never stopped and restarted the connection, after that step it seems to be fine so far…

    Hi all,

    I've setup a tunnel between two sides. One side is run by a APU the other by an older ALIX, both with 2.2.1. The tunnel comes up just fine but I can't get a package through...

    I've got this IPsec-Firewall rule on both sides:

    IPv4 *	*	*	*	*	*	none	 	any <> any 
    

    On IPSec restart the log says:

    Mar 19 11:36:37	charon: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA
    Mar 19 11:36:37	charon: 08[IKE] <con1|2> failed to establish CHILD_SA, keeping IKE_SA
    Mar 19 11:36:37	charon: 08[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
    Mar 19 11:36:37	charon: 08[IKE] <con1|2> received TS_UNACCEPTABLE notify, no CHILD_SA built
    Mar 19 11:36:37	charon: 08[ENC] parsed CREATE_CHILD_SA response 153 [ N(TS_UNACCEPT) ]
    Mar 19 11:36:37	charon: 08[NET] received packet: from REMOTE-IP[4500] to LOCAL-IP[4500] (76 bytes)
    Mar 19 11:36:37	charon: 08[NET] sending packet: from LOCAL-IP[4500] to REMOTE-IP[4500] (412 bytes)
    Mar 19 11:36:37	charon: 08[ENC] generating CREATE_CHILD_SA request 153 [ N(IPCOMP_SUP) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 19 11:36:37	charon: 08[IKE] establishing CHILD_SA con1{1}
    Mar 19 11:36:37	charon: 08[IKE] <con1|2> establishing CHILD_SA con1{1}
    Mar 19 11:36:37	charon: 10[KNL] creating acquire job for policy LOCAL-IP/32|/0 === REMOTE-IP/32|/0 with reqid {1}
    Mar 19 11:36:33	charon: 10[ENC] parsed INFORMATIONAL response 152 [ ]
    Mar 19 11:36:33	charon: 10[NET] received packet: from REMOTE-IP[4500] to LOCAL-IP[4500] (76 bytes)
    Mar 19 11:36:33	charon: 12[NET] sending packet: from LOCAL-IP[4500] to REMOTE-IP[4500] (76 bytes)
    Mar 19 11:36:33	charon: 12[ENC] generating INFORMATIONAL request 152 [ ]
    Mar 19 11:36:33	charon: 12[IKE] sending DPD request</con1|2></con1|2></con1|2>
    

    LOCAL Phase1 is:

    LOCAL Phase2 #1 is:

    LOCAL Phase2 #2 is:

    REMOTE Phase1 is:

    REMOTE Phase2 #1 is:

    REMOTE Phase2 #2 is:

    I hope you can help solve the issue



  • I just enabled logging and found this:

    Mar 19 13:52:35	charon: 14[IKE] <con1|179> traffic selectors REMOTE-IP/32|/0 10.10.21.0/24|/0 10.10.23.0/24|/0 === LOCAL-IP/32|/0 10.10.10.0/24|/0 inacceptable
    Mar 19 13:52:35	charon: 14[IKE] traffic selectors REMOTE-IP/32|/0 10.10.21.0/24|/0 10.10.23.0/24|/0 === LOCAL-IP/32|/0 10.10.10.0/24|/0 inacceptable
    Mar 19 13:52:35	charon: 14[IKE] <con1|179> failed to establish CHILD_SA, keeping IKE_SA
    Mar 19 13:52:35	charon: 14[IKE] failed to establish CHILD_SA, keeping IKE_SA</con1|179></con1|179>
    

    Could someone please describe why my Phase2 entry's get rejected?



  • Because they do not match!


Log in to reply