Description |
This article describes how after configuring IPsec tunnel and testing phase 1 and phase 2 are up and tunnel is passing traffic. Adding more Phase 2 selector subnets to the same phase 2 selector, using an address object group, by adding address objects to the same address object group used in phase 2 in either local or remote subnets, caused the IPsec tunnel to go down. |
Scope | FortiGate IPsec IKEv1 and IKEv2. |
Solution |
IKE debug showed the below error 'TS_UNACCEPABLE'. Please note output of the debug is truncated and IP addresses are replaced by x.x.x.x and y.y.y.y.
ike 0:Test-Spoke:Test-Spoke: IPsec SA connect 17 X.X.X.X->Y.Y.Y.Y:500 negotiating ike 0:Test-Spoke:3:12806 initiating CREATE_CHILD exchange ike 0:Test-Spoke:3:Test-Spoke:12806: PFS enabled ike 0:Test-Spoke:3: enc <TRUNCATED> ike 0:Test-Spoke:3: out <TRUNCATED> ike 0:Test-Spoke:3: sent IKE msg (CREATE_CHILD): X.X.X.X:500->Y.Y.Y.Y:500, len=272, id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013 ike 0: comes Y.Y.Y.Y:500->X.X.X.X:500,ifindex=17.... ike 0: IKEv2 exchange=CREATE_CHILD_RESPONSE id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013 len=80 ike 0: in <TRUNCATED> ike 0:Test-Spoke:3: dec E405986247F6BB7BD5D1CB50B6B0F1D52E2024200000001300000028290000040000000800000026 ike 0:Test-Spoke:3: received create-child response ike 0:Test-Spoke:3: initiator received CREATE_CHILD msg ike 0:Test-Spoke:3:Test-Spoke:12806: found child SA SPI 9a2071f7 state=3 ike 0:Test-Spoke:3: processing notify type TS_UNACCEPTABLE <- error message
The maximum number of supported IPsec phase 2 selectors for IKEv1 and IKEv2 is 255 subnets per named selector as of FortiOS 5.4.1.
Usage of named selectors (src-name/ dst-name) is natively supported in IKEv2 because, per protocol design, it is possible to negotiate up to 255 source/destination subnets during a single Child (IPsec) SA negotiation.
To resolve this issue it is necessary to perform the below steps:
- Limit the number of addresses to less than 255 address objects in a single phase 2 selector.
- Create a second phase 2 selector, in the same IPsec tunnel, with the additional address objects as desired in local and/or remote subnets, less than 255 subnets, make sure to configure the same additional phase 2 selector on the remote end of the IPsec tunnel.
- Refresh the IPsec tunnel and all phase 2 selectors will become up. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.