Results 1 to 2 of 2
  1. #1
    Newbie
    Join Date
    Feb 2021
    Posts
    3

    Unhappy IKEv2 with multiple source subnets to a single destination subnet (16.2)

    Hi Everyone,

    I have had a working VPN to one of my remote sites and that was all wonderful, traffic went in, traffic went out. Routing was enjoyed by all members. The firewalls rejoiced in their learned subnets and all was good in the world.

    But one day, we needed to add an additional local subnet to this mix and now my additional subnet, its not coming up at all. ICMP PING request is not happy and requests are timing out.

    After much head banging (not to the metal kind), and examination of logs, I am here.

    So let discuss the technical stuff.

    My original IPSEC was:

    IKEv2
    Phase 1: AES-256 / SHA-384
    Phase 2: AES-256 / SHA-384
    DH Group: 14
    Local Networks: 10.7.0.0/16
    Remote Networks: 10.3.0.0/16

    New IPSEC configuration:
    IKEv2
    Phase 1: AES-256 / SHA-384
    Phase 2: AES-256 / SHA-384
    DH Group: 14
    Local Networks: 10.7.0.0/16,10.9.3.0/24
    Remote Networks: 10.3.0.0/16

    Untangle networks are: 10.7.0.0/16 and 10.9.3.0/24

    Remote Device: (Fortigate)
    IKEv2
    Phase 1: AES-256 / SHA-384
    Phase 2: AES-256 / SHA-384
    DH Group: 14
    Local Networks: 10.3.0.0/16
    Remote Networks: 10.7.0.0/16,10.9.3.0/24

    Now my 10.7.0.0 network can still see my remote subnets, and back, with out any issues. And before you ask, yes I had the new subnet to an additional phase 2 on my remote destination. Configured rules and routes.

    Looking at the fortigate, I can see that the additional phase 2 network is NOT coming up.

    and in the logs of Untangle, I can see the following:

    Feb 27 10:06:44 untangle charon: 12[ENC] generating CREATE_CHILD_SA response 606 [ N(TS_UNACCEPT) ]
    Feb 27 10:06:44 untangle charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
    Feb 27 10:06:44 untangle charon: 12[IKE] traffic selectors 10.9.3.0/24 === 10.3.0.0/16 unacceptable

    Unacceptable? That is perfectly legit to me?

    has anyone got any ideas or things I could try to get this new subnet up? Or am I missing something?

    if anyone has any advice, I would love to hear it.

    Thanks,
    old fart from down under.

  2. #2
    Newbie
    Join Date
    Feb 2021
    Posts
    3

    Default

    So this is fixed. Reversed the source subnets on Untangle and the tunnel and both subnets came up on the tunnel.

    Was: 10.7.0.0/16,10.9.3.0/24
    new: 10.9.3.0/24,10.7.0.0/16

    Weird, but its now working.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2