topic Re: IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable in Firewall and Security Management

IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

John_Fleming — Wed, 12 Aug 2020 02:00:03 GMT

Hi all, I'm having an issue with IKEv2 support. Tunnel management is set to tunnel per host. Access is basically /32 to /32. Tunnel fails during phase 2. We did some debugging via ikeview and everything looked ok. After looking at vpnd.elg (vpn debug on) I noticed I could see where the remote internal IP would be checked against the contents of the remote firewalls encryption domain. BTW there is src and dst nats on the local checkpoint gateway as well.

This is what I see in the debugs. Not word for word just high level.

Searching for remote internal IP (pre nat IP address)

comparing against external IP of remote VPN peer - no match

comparing against NAT IP (post nat IP) of remote internal host - no match

comparing against 224.0.0.0/24 - no match

Error traffic selectors unacceptable

Whats odd is its not searching all the hosts in the remote encryption domain. There are 9 IPs in the remote enc domain. For sure the internal remote host is in the encryption domain of the remote firewall (interop device) as well. Also I have no idea where the multicast subnet came from. Its not part of any of the configs.

We just switched everything to IKEv1 and things are coming up now. I see a few ikev2 updates after 166. We haven't opened a ticket yet just though I would ask here first. We're going to try switching it back to ikev2 just to be %100 where the issue is tomorrow.

Oh remote gateway is a ASA so my sympathy goes out to them. That being said sure feels like a bug on the checkpoint side.

Re: IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

Tobias_Moritz — Wed, 12 Aug 2020 13:07:38 GMT

Just a wild guess here...

Do you use host objects or network objects (/32) in the remote encryption domain object? If you are using host objects, can you try again with network objects?

Re: IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

John_Fleming — Wed, 12 Aug 2020 19:42:48 GMT

/32 network objects?? Heresy I say!

kidding aside... we just flipped everything back to ikev2 and it came up. I can now see the search rolling through on the contents of the remove encryption domain.

I really wish this wouldn't have worked. I think we're going to stick to ikev2 and see what happens.

Re: IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

prodigy477 — Wed, 04 Aug 2021 14:49:39 GMT

Hello, so what was your fix and how did you go about this? Running into the same issue

Re: IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

kennyt — Wed, 04 Jan 2023 05:31:22 GMT

Hi John,

Ran into same issue, what was your fix on this?

Re: IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

Chris_Atkinson — Wed, 04 Jan 2023 08:12:57 GMT

Which version of Gateway and ASA were involved?

Re: IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

kennyt — Thu, 19 Jan 2023 03:45:15 GMT

CP v81.10 and a third party GSM router, not an ASA