IPsec IKEv2 - tunnel up but no traffic - multiple SAD


  • Hello pfsense community,

    I have a problem. Maybe you can help me?
    I try to explain the situation. If you need more information - just tell me - i will give you these.

    I have setup an big IPSec VPN since a while. i have multiple boxes (10) who connect to each other.
    Suddenly it stops last week for one endpoint and this week a second got the problem now. I have not changed anything, but something must happen.

    So here is the setup - all boxes are identically:
    I use on all pfsense 2.2.6-RELEASE (amd64) built on Tue Dec 22 16:37:36 CST 2015

    VPN IPsec Phase 1:
    Key Exchange V2
    I use Mutual RSA for authentication method. I have setup my own Certificate Authority and generated certificates for both routers, which I use here.
    Encryption: AES 256bits
    Hash: SHA512
    DH group: 14 (2048bit)
    Lifetime: 28800
    DPD enabled

    Phase 2:
    Protocol: ESP
    Encryption: AES 256 bits
    Hash: SHA512
    PFS key group: 14 (2048bits)
    Lifetime: 3600

    On side A I have (my headquarter):
    10.99.0.0 /16

    On side B I have:
    10.20.10.0 /24

    Firewall-Rule:
    Tab IPsec: Allow all IPv4 from all to everything. (well it worked before and so the rule shouldn't be the problem)

    The problem is  that the tunnel is up and the vpn shows connected but I can't ping or send other traffic.

    What I see is that in ipsec status the SAD are generated multiple times. I thought on a "normal" connection these are only 1 time around for each direction.
    If I start a ping from side B to A with 4 packets I can see that there are 4 new SADs are created. (see Picture 1.png)

    I hope you got a hint for me what I can do next.

    Here is the log on side B (newest entries on top):

    Mar 16 15:43:42	charon: 14[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (96 bytes)
    Mar 16 15:43:42	charon: 14[ENC] <con1|1> generating INFORMATIONAL response 4 [ ]
    Mar 16 15:43:42	charon: 14[ENC] <con1|1> parsed INFORMATIONAL request 4 [ ]
    Mar 16 15:43:42	charon: 14[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (96 bytes)
    Mar 16 15:43:38	charon: 14[KNL] <con1|1> unable to query SAD entry with SPI c19ec5e9: No such file or directory (2)
    Mar 16 15:43:38	charon: 14[KNL] <con1|1> unable to query SAD entry with SPI ce9a8e0a: No such file or directory (2)
    Mar 16 15:43:38	charon: 14[KNL] <con1|1> unable to query SAD entry with SPI c8101d21: No such file or directory (2)
    Mar 16 15:43:32	charon: 12[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (496 bytes)
    Mar 16 15:43:32	charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA response 3 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:32	charon: 12[IKE] <con1|1> CHILD_SA con1{6} established with SPIs caf3a127_i c0a2106e_o and TS 10.22.10.0/24|/0 === 10.99.0.0/16|/0
    Mar 16 15:43:32	charon: 12[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 16 15:43:32	charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA request 3 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:32	charon: 12[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (528 bytes)
    Mar 16 15:43:27	charon: 12[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (496 bytes)
    Mar 16 15:43:27	charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA response 2 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:27	charon: 12[IKE] <con1|1> CHILD_SA con1{5} established with SPIs cec784ad_i c4c0a6c8_o and TS 10.22.10.0/24|/0 === 10.99.0.0/16|/0
    Mar 16 15:43:27	charon: 12[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 16 15:43:27	charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA request 2 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:27	charon: 12[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (528 bytes)
    Mar 16 15:43:22	charon: 12[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (496 bytes)
    Mar 16 15:43:22	charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA response 1 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:22	charon: 12[IKE] <con1|1> CHILD_SA con1{4} established with SPIs c0abb7f6_i c19ec5e9_o and TS 10.22.10.0/24|/0 === 10.99.0.0/16|/0
    Mar 16 15:43:22	charon: 12[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 16 15:43:22	charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA request 1 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:22	charon: 12[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (528 bytes)
    Mar 16 15:43:17	charon: 12[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (496 bytes)
    Mar 16 15:43:17	charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA response 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:17	charon: 12[IKE] <con1|1> CHILD_SA con1{3} established with SPIs c259f214_i ce9a8e0a_o and TS 10.22.10.0/24|/0 === 10.99.0.0/16|/0
    Mar 16 15:43:17	charon: 12[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 16 15:43:17	charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 15:43:17	charon: 12[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (528 bytes)
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> received AUTH_LIFETIME of 28004s, scheduling reauthentication in 27464s
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> CHILD_SA con1{2} established with SPIs c7c0ca2e_i c8101d21_o and TS 10.22.10.0/24|/0 === 10.99.0.0/16|/0
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> maximum IKE_SA lifetime 28748s
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> scheduling reauthentication in 28208s
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> IKE_SA con1[1] established between 87.147.yy.yy[yyyyyyyyyyyyyy]...92.198.xx.xx[xxxxxxxxxxxxxx]
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> authentication of 'zzzzzzzzzzzzzzzz' with RSA_EMSA_PKCS1_SHA384 successful
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> reached self-signed root ca with a path length of 0
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> certificate status is good
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> crl is valid: until Apr 13 01:59:59 2016
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> crl correctly signed by "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> using trusted certificate "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> fetching crl from 'http://ca.xxxxxxx.zz/advitaCA.crl' ...
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> checking certificate status of "zzzzzzzzzzzzzzzzzz"
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> using trusted ca certificate "xxxxxxxxxxxxxxxxxxx"
    Mar 16 15:43:10	charon: 11[CFG] <con1|1> using certificate "zzzzzzzzzzzzzzzzzzzzzz"
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> received end entity cert "zzzzzzzzzzzzzzzzzzzzzzzzzzz"
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> parsed IKE_AUTH response 1 [ IDr CERT AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) ]
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> received fragment #3 of 6, reassembling fragmented IKE message
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> parsed IKE_AUTH response 1 [ EF(3/6) ]
    Mar 16 15:43:10	charon: 11[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (548 bytes)
    Mar 16 15:43:10	charon: 16[ENC] <con1|1> received fragment #4 of 6, waiting for complete IKE message
    Mar 16 15:43:10	charon: 16[ENC] <con1|1> parsed IKE_AUTH response 1 [ EF(4/6) ]
    Mar 16 15:43:10	charon: 16[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (548 bytes)
    Mar 16 15:43:10	charon: 08[ENC] <con1|1> received fragment #5 of 6, waiting for complete IKE message
    Mar 16 15:43:10	charon: 08[ENC] <con1|1> parsed IKE_AUTH response 1 [ EF(5/6) ]
    Mar 16 15:43:10	charon: 08[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (548 bytes)
    Mar 16 15:43:10	charon: 12[ENC] <con1|1> received fragment #6 of 6, waiting for complete IKE message
    Mar 16 15:43:10	charon: 12[ENC] <con1|1> parsed IKE_AUTH response 1 [ EF(6/6) ]
    Mar 16 15:43:10	charon: 12[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (164 bytes)
    Mar 16 15:43:10	charon: 06[ENC] <con1|1> received fragment #2 of 6, waiting for complete IKE message
    Mar 16 15:43:10	charon: 06[ENC] <con1|1> parsed IKE_AUTH response 1 [ EF(2/6) ]
    Mar 16 15:43:10	charon: 06[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (548 bytes)
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> received fragment #1 of 6, waiting for complete IKE message
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> parsed IKE_AUTH response 1 [ EF(1/6) ]
    Mar 16 15:43:10	charon: 11[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (548 bytes)
    Mar 16 15:43:10	charon: 11[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (196 bytes)
    Mar 16 15:43:10	charon: 11[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (548 bytes)
    Mar 16 15:43:10	charon: 11[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (548 bytes)
    Mar 16 15:43:10	charon: 11[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (548 bytes)
    Mar 16 15:43:10	charon: 11[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (548 bytes)
    Mar 16 15:43:10	charon: 11[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (548 bytes)
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_AUTH request 1 [ EF(6/6) ]
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_AUTH request 1 [ EF(5/6) ]
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_AUTH request 1 [ EF(4/6) ]
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_AUTH request 1 [ EF(3/6) ]
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_AUTH request 1 [ EF(2/6) ]
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_AUTH request 1 [ EF(1/6) ]
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> splitting IKE message with length of 2512 bytes into 6 fragments
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> establishing CHILD_SA con1
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> sending end entity cert "yyyyyyyyyyyyyyyyyyyyyy"
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> authentication of 'yyyyyyyyyyy' (myself) with RSA_EMSA_PKCS1_SHA384 successful
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> sending cert request for "xxxxxxxxxxxxxxxxxxxxxxxxx"
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> received cert request for "xxxxxxxxxxxxxxxxxxxxxxxxxx"
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Mar 16 15:43:10	charon: 11[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (489 bytes)
    Mar 16 15:43:10	charon: 11[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (456 bytes)
    Mar 16 15:43:10	charon: 11[ENC] <con1|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
    Mar 16 15:43:10	charon: 11[IKE] <con1|1> initiating IKE_SA con1[1] to 92.198.xx.xx
    Mar 16 15:43:10	charon: 09[CFG] received stroke: initiate 'con1'
    Mar 16 15:43:10	charon: 10[CFG] no IKE_SA named 'con1' found
    Mar 16 15:43:10	charon: 10[CFG] received stroke: terminate 'con1'
    Mar 16 15:42:57	ipsec_starter[35169]:
    Mar 16 15:42:57	ipsec_starter[35169]: 'con1' routed
    Mar 16 15:42:57	charon: 11[CFG] received stroke: route 'con1'
    Mar 16 15:42:57	charon: 15[CFG] added configuration 'con1'
    Mar 16 15:42:57	charon: 15[CFG] loaded certificate "yyyyyyyyyyyyyyyyyyyyy" from '/var/etc/ipsec/ipsec.d/certs/cert-1.crt'
    Mar 16 15:42:57	charon: 15[CFG] received stroke: add connection 'con1'
    Mar 16 15:42:57	ipsec_starter[35169]:
    Mar 16 15:42:57	ipsec_starter[35169]: 'bypasslan' shunt PASS policy installed
    Mar 16 15:42:57	charon: 11[CFG] received stroke: route 'bypasslan'
    Mar 16 15:42:57	charon: 15[CFG] added configuration 'bypasslan'
    Mar 16 15:42:57	charon: 15[CFG] received stroke: add connection 'bypasslan'
    Mar 16 15:42:57	ipsec_starter[35169]: charon (35341) started after 180 ms
    Mar 16 15:42:57	charon: 00[JOB] spawning 16 worker threads
    Mar 16 15:42:57	charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
    Mar 16 15:42:57	charon: 00[CFG] loaded 0 RADIUS server configurations
    Mar 16 15:42:57	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Mar 16 15:42:57	charon: 00[CFG] loaded RSA private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key'
    Mar 16 15:42:57	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Mar 16 15:42:57	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Mar 16 15:42:57	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Mar 16 15:42:57	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Mar 16 15:42:57	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Mar 16 15:42:57	charon: 00[CFG] loaded ca certificate "xxxxxxxxx" from '/var/etc/ipsec/ipsec.d/cacerts/662badcc.0.crt'
    Mar 16 15:42:57	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Mar 16 15:42:57	charon: 00[CFG] ipseckey plugin is disabled
    Mar 16 15:42:57	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Mar 16 15:42:57	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Mar 16 15:42:57	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, FreeBSD 10.1-RELEASE-p25, amd64)
    Mar 16 15:42:57	ipsec_starter[34671]: no known IPsec stack detected, ignoring!
    Mar 16 15:42:57	ipsec_starter[34671]: no KLIPS IPsec stack detected
    Mar 16 15:42:57	ipsec_starter[34671]: no netkey IPsec stack detected
    Mar 16 15:42:57	ipsec_starter[34671]: Starting strongSwan 5.3.5 IPsec [starter]...</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>
    

    Here are later logs:

    Mar 16 14:26:07	charon: 08[ENC] <con1|1> generating CREATE_CHILD_SA response 1 [ N(TS_UNACCEPT) ]
    Mar 16 14:26:07	charon: 08[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
    Mar 16 14:26:07	charon: 08[IKE] <con1|1> traffic selectors 87.147.yy.yy/32|/0 10.22.10.0/24|/0 === 92.198.xx.xx/32|/0 10.99.0.0/16|/0 inacceptable
    Mar 16 14:26:07	charon: 08[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 16 14:26:07	charon: 08[ENC] <con1|1> parsed CREATE_CHILD_SA request 1 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 14:26:07	charon: 08[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (528 bytes)
    Mar 16 14:26:04	charon: 08[ENC] <con1|1> parsed INFORMATIONAL response 3 [ ]
    Mar 16 14:26:04	charon: 08[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (96 bytes)
    Mar 16 14:26:04	charon: 12[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (96 bytes)
    Mar 16 14:26:04	charon: 12[ENC] <con1|1> generating INFORMATIONAL request 3 [ ]
    Mar 16 14:26:04	charon: 12[IKE] <con1|1> sending DPD request
    Mar 16 14:25:54	charon: 12[ENC] <con1|1> parsed INFORMATIONAL response 2 [ ]
    Mar 16 14:25:54	charon: 12[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (96 bytes)
    Mar 16 14:25:54	charon: 12[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (96 bytes)
    Mar 16 14:25:54	charon: 12[ENC] <con1|1> generating INFORMATIONAL request 2 [ ]
    Mar 16 14:25:54	charon: 12[IKE] <con1|1> sending DPD request
    Mar 16 14:25:43	charon: 12[NET] <con1|1> sending packet: from 87.147.yy.yy[500] to 92.198.xx.xx[500] (96 bytes)
    Mar 16 14:25:43	charon: 12[ENC] <con1|1> generating CREATE_CHILD_SA response 0 [ N(TS_UNACCEPT) ]
    Mar 16 14:25:43	charon: 12[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
    Mar 16 14:25:43	charon: 12[IKE] <con1|1> traffic selectors 87.147.yy.yy/32|/0 10.22.10.0/24|/0 === 92.198.xx.xx/32|/0 10.99.0.0/16|/0 inacceptable
    Mar 16 14:25:43	charon: 12[IKE] <con1|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 16 14:25:43	charon: 12[ENC] <con1|1> parsed CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Mar 16 14:25:43	charon: 12[NET] <con1|1> received packet: from 92.198.xx.xx[500] to 87.147.yy.yy[500] (528 bytes)</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>
    ```![1.png](/public/_imported_attachments_/1/1.png)
    ![1.png_thumb](/public/_imported_attachments_/1/1.png_thumb)

  • I'm having the same issue. Did you find a fix for this?


  • Hello!

    Is there any possibilities that any certificate is expired?
    Does any of the boxes use dynamic IP? have you checked the dynamic DNS in that case?

    Regards,

    Jaír


  • The original issue looks like it comes down to this:

    generating CREATE_CHILD_SA response 1 [ N(TS_UNACCEPT) ]
    

    TS_UNACCEPT is why the other end's rejecting it. Traffic selectors unacceptable. Mismatched local/remote in P2.