This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bsbesit
Explorer
‎2024-02-22 11:18 AM

IKE failure: Child SA exchange Issue

I have a L-71 unit that we are trying to connect to our other office. We managed to get connection after many hours of testing but we keep getting this error on both ends despite a good connection. So much as a single ping causes this error to fire. What is this and how do we fix it?

Description
IKE failure: Child SA exchange: Received notification from peer: Traffic selectors unacceptable

IKE Phase2 Message ID: 00000001
Reject Category: IKE failure
Encryption Scheme: IKEv2
VPN Feature: IKE

0 Kudos
3 Replies
_Val_
Admin
Admin
‎2024-02-26 06:40 AM

Versions used on both ends, details about your VPN config? What do you call "a good connection" in this context? 

0 Kudos
CaseyB
Advisor
‎2024-02-26 07:23 AM

Traffic selectors are generally when one side proposes a host/subnet that is not defined on the other side. The log file should tell you which traffic selectors is providing the error, otherwise you'll have to do a debug to get that information.

If you send 10.20.30.0/24, that's how it needs to be defined on both sides. You would get an error if one side was 10.20.30.0/23 for example.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-01 01:29 PM

L-71 is a 1400 Series for those playing along at home.

This message means the remote site doesn’t accept the proposed encryption domain (Traffic selectors) by current gateway.
This can indicate a configuration problem, such as:

  1. Missing subnets on either of the peers
  2. Unaligned tunnel sharing configurations (tunnel per gateway \ subnet \ address)
  3. Route all traffic configured on a site where other peer is oblivious.

Verify the following :

  1. Encryption domains are configured correctly on both peers.
  2. Tunnel sharing is aligned on both peers
  3. If route all traffic is configured on the site, confirm that "Allow traffic to the internet from remote site through this Security Gateway" is enabled under "advanced" tab on peer WebUI site configuration.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top