topic Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable in Firewall and Security Management

Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Mon, 30 Jun 2025 08:13:30 GMT

Good Day,

I am struggling with an IPsec Tunnel between a CP device and a Fortinet device, Using AES-256, SHA256 and Group19 for both Phase 1 and Phase 2 encryption yet get the above error. First time I am doing an IPsec tunnel between the two devices would anyone be able to advise me as to what the problems could be

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

PhoneBoy — Wed, 02 Jul 2025 17:05:39 GMT

This usually points to a mismatch in configuration.
Refer to #11 here: https://support.checkpoint.com/results/sk/sk181787

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

the_rock — Wed, 02 Jul 2025 17:21:05 GMT

Do you even see phase 1 completing? You can check that via vpn tu on CP and from gui on Fortigate. Debugs you can do. I would still double check to make sure all settings do match, but debug would 100% confirm that. If it fails phase 1, depending where, it could be PSK issue or basic settings are mismatched. If phase 2, than most likely vpn domains.

CP:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

get iked and vpnd files from $FWDIR/log dir

Fortigate:

di de di

di de application ike -1

di de en

Hope that helps.

Andy

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 09:21:46 GMT

Encryption groups are configured the same but get the below
457126603; 9Jul2025 10:45:01.279891;[kern];[tid_1];[SIM-241580892];sim (vpn_encrypt): drop due vpn_ipsec_encrypt returns PKT_DROP(3);
457126603; 9Jul2025 10:45:01.279897;[kern];[tid_1];[SIM-241580892];handle_vpn_encryption: ipsec_encrypt failed: failed to find SA. Dropping packet;
457126605; 9Jul2025 10:45:01.279902;[kern];[tid_1];[SIM-241580892];sim_pkt_send_drop_notification: (0,1) received drop, reason: Encryption Failed, conn;
457126605; 9Jul2025 10:45:01.279907;[kern];[tid_1];[SIM-241580892];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn;
457126605; 9Jul2025 10:45:01.279911;[kern];[tid_1];[SIM-241580892];sim_pkt_send_drop_notification: sending single drop notification, conn;
457126606; 9Jul2025 10:45:01.279917;[kern];[tid_1];[SIM-241580892];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

CaseyB — Wed, 09 Jul 2025 12:59:52 GMT

The Check Point "traffic selectors unacceptable" message should include the networks it is sending to the Fortinet, see the highlighted section below. Do the networks in that message match on the Fortinet side? If not, that is the problem.

How do you have the addresses setup on the Fortinet side for Phase 2 selectors? Do you have it configured as "IP Address" or "Subnet"? You have to have the tunnel sharing mode setup on the Check Point side to match. Ideally you should be defining a subnet for the Fortinet Phase 2 selector and using the Check Point "One VPN tunnel per subnet pair" option for tunnel sharing.

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

G_W_Albrecht — Wed, 09 Jul 2025 13:01:56 GMT

What CP device is that ? GAiA ? Version ? Jumbo ?

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 13:08:29 GMT

Have it configured as IP's on the Fortigates side, One VPN tunnel per subnet pair. No Message comes up on the Fortigate side with Traffic selectors being a problem only on Checkpont side

I get a lot on MyTSi and some on Peer TSr, we did try and configure the ones missing on the Fortinet side but just added more on their side after doing so

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 13:12:59 GMT

Check Point 3800, GAiA, Build 335, Kernel 3.10.0

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 13:17:13 GMT

R81.10

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

CaseyB — Wed, 09 Jul 2025 13:19:07 GMT

Setting them as IP addresses on the Fortigate side means you need to use the Check Point VPN tunnel sharing mode as "One VPN tunnel per each pair of hosts". You will also need to make sure that those IP addresses are defined as hosts within your Check Point VPN domain.

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

the_rock — Wed, 09 Jul 2025 13:23:49 GMT

What do you see on Fortigate side?

Andy

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 13:26:35 GMT

The traffic is coming through on their side so they can see the ping request coming through and no errors show up

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 13:41:02 GMT

I have changed it to One VPN tunnel per each pair of hosts, but also see that there was no VPN domain setup, I took over from the last guy and he wasn't motivated to continue with it so it wasn't completed when he left so now left with trying to get this working

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

the_rock — Wed, 09 Jul 2025 14:03:32 GMT

Is it combo of hosts/subnets? If so, then choose per gateway.

Andy

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 14:06:59 GMT

I know the Fortigate side has /32s and CP side has /24

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

the_rock — Wed, 09 Jul 2025 14:24:42 GMT

Thats fine, then choose subnets on CP side and on Fortigate, you dont need to do universal tunnel, just do whatever hosts needed. I attached an example, you can just keep adding needed entries.

Andy

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Wed, 09 Jul 2025 14:30:22 GMT

Just want to confirm that they need to config the MyTSi from CP side onto the fortigate side is that correct?

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

G_W_Albrecht — Wed, 09 Jul 2025 14:34:37 GMT

Did you review sk108600: VPN Site-to-Site with 3rd party ? Had a Forti once where the customer had to exclude WAN GW IP from Enc Domain to make it work. I would ask CP TAC for help!

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

the_rock — Wed, 09 Jul 2025 14:36:32 GMT

They do, yes. It has to match 100%, otherwise, it wont work.

Re: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable

Sph1nX — Mon, 14 Jul 2025 11:54:55 GMT

This is what I can get from the Fortinet side, I see the SA=1 which refers to traffic selectors being acceptable but still doesn't pass through to either side