https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/207604#M10327 <P>L-71 is a 1400 Series for those playing along at home.</P> <P>This message means the remote site doesn’t accept the proposed encryption domain (Traffic selectors) by current gateway.<BR />This can indicate a configuration problem, such as:</P> <OL> <LI>Missing subnets on either of the peers</LI> <LI>Unaligned tunnel sharing configurations (tunnel per gateway \ subnet \ address)</LI> <LI>Route all traffic configured on a site where other peer is oblivious.</LI> </OL> <P>Verify the following :</P> <OL> <LI>Encryption domains are configured correctly on both peers.</LI> <LI>Tunnel sharing is aligned on both peers</LI> <LI>If route all traffic is configured on the site, confirm that "Allow traffic to the internet from remote site through this Security Gateway" is enabled under "advanced" tab on peer WebUI site configuration.</LI> </OL> Fri, 01 Mar 2024 21:29:58 GMT PhoneBoy 2024-03-01T21:29:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/206909#M10301 <P>I have a L-71 unit that we are trying to connect to our other office. We managed to get connection after many hours of testing but we keep getting this error on both ends despite a good connection. So much as a single ping causes this error to fire. What is this and how do we fix it?</P><P>Description<BR />IKE failure: Child SA exchange: Received notification from peer: Traffic selectors unacceptable</P><P>IKE Phase2 Message ID: 00000001<BR />Reject Category: IKE failure<BR />Encryption Scheme: IKEv2<BR />VPN Feature: IKE</P> Thu, 22 Feb 2024 19:18:43 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/206909#M10301 bsbesit 2024-02-22T19:18:43Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/207173#M10302 <P>Versions used on both ends, details about your VPN config? What do you call "a good connection" in this context?&nbsp;</P> Mon, 26 Feb 2024 14:40:36 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/207173#M10302 _Val_ 2024-02-26T14:40:36Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/207180#M10303 <P>Traffic selectors are generally when one side proposes a host/subnet that is not defined on the other side. The log file should tell you which traffic selectors is providing the error, otherwise you'll have to do a debug to get that information.</P><P>If you send 10.20.30.0/24, that's how it needs to be defined on both sides. You would get an error if one side was 10.20.30.0/23 for example.</P> Mon, 26 Feb 2024 15:23:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/207180#M10303 CaseyB 2024-02-26T15:23:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/207604#M10327 <P>L-71 is a 1400 Series for those playing along at home.</P> <P>This message means the remote site doesn’t accept the proposed encryption domain (Traffic selectors) by current gateway.<BR />This can indicate a configuration problem, such as:</P> <OL> <LI>Missing subnets on either of the peers</LI> <LI>Unaligned tunnel sharing configurations (tunnel per gateway \ subnet \ address)</LI> <LI>Route all traffic configured on a site where other peer is oblivious.</LI> </OL> <P>Verify the following :</P> <OL> <LI>Encryption domains are configured correctly on both peers.</LI> <LI>Tunnel sharing is aligned on both peers</LI> <LI>If route all traffic is configured on the site, confirm that "Allow traffic to the internet from remote site through this Security Gateway" is enabled under "advanced" tab on peer WebUI site configuration.</LI> </OL> Fri, 01 Mar 2024 21:29:58 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IKE-failure-Child-SA-exchange-Issue/m-p/207604#M10327 PhoneBoy 2024-03-01T21:29:58Z