Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkirollos
Staff
Staff

Created on ‎10-24-2022 05:15 AM Edited on ‎05-14-2024 05:08 AM By Community Manager

Article Id 227645

Technical Tip: Maximum number of supported IPsec phase 2 traffic selector subnets per a single phase 2 selector

Description

This article describes how after configuring the IPsec tunnel and testing phase 1 and phase 2 are up and the tunnel is passing traffic.

Adding more Phase 2 selector subnets to the same Phase 2 selector, using an address object group, by adding address objects to the same address object group used in Phase 2 in either local or remote subnets, caused the IPsec tunnel to go down.
Scope FortiGate IPsec IKEv1 and IKEv2.
Solution

IKE debug showed the below error 'TS_UNACCEPTABLE'.

Please note output of the debug is truncated and IP addresses are replaced by x.x.x.x and y.y.y.y.

 

ike 0:Test-Spoke:Test-Spoke: IPsec SA connect 17 X.X.X.X->Y.Y.Y.Y:500 negotiating

ike 0:Test-Spoke:3:12806 initiating CREATE_CHILD exchange

ike 0:Test-Spoke:3:Test-Spoke:12806: PFS enabled

ike 0:Test-Spoke:3: enc <TRUNCATED>

ike 0:Test-Spoke:3: out <TRUNCATED>

ike 0:Test-Spoke:3: sent IKE msg (CREATE_CHILD): X.X.X.X:500->Y.Y.Y.Y:500, len=272, id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013

ike 0: comes Y.Y.Y.Y:500->X.X.X.X:500,ifindex=17....

ike 0: IKEv2 exchange=CREATE_CHILD_RESPONSE id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013 len=80

ike 0: in <TRUNCATED>

ike 0:Test-Spoke:3: dec E405986247F6BB7BD5D1CB50B6B0F1D52E2024200000001300000028290000040000000800000026

ike 0:Test-Spoke:3: received create-child response

ike 0:Test-Spoke:3: initiator received CREATE_CHILD msg

ike 0:Test-Spoke:3:Test-Spoke:12806: found child SA SPI 9a2071f7 state=3

ike 0:Test-Spoke:3: processing notify type TS_UNACCEPTABLE <- error message

 

The maximum number of supported IPsec phase 2 selectors for IKEv1 and IKEv2 is 255 subnets per named selector as of v5.4.1.

 

Usage of named selectors (src-name/ dst-name) is natively supported in IKEv2 because, per protocol design, it is possible to negotiate up to 255 source/destination subnets during a single Child (IPsec) SA negotiation.

 

To resolve this issue it is necessary to perform the following steps:

 

  • Limit the number of addresses to less than 255 address objects in a single phase 2 selector.
  • Create a second phase 2 selector, in the same IPsec tunnel, with the additional address objects as desired in local and/or remote subnets, less than 255 subnets, make sure to configure the same additional phase 2 selector on the remote end of the IPsec tunnel.
  • Refresh the IPsec tunnel and all phase 2 selectors will become up.

 

If none of the above steps are applicable, the message can also be caused by Phase 2 traffic selectors mismatch per RFC 5996:

 

If the responder's policy does not allow it to accept any part of the proposed Traffic Selectors, it responds with a TS_UNACCEPTABLE Notify message.
12188
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.