Description |
This article describes how after configuring the IPsec tunnel and testing phase 1 and phase 2 are up and the tunnel is passing traffic. Adding more Phase 2 selector subnets to the same Phase 2 selector, using an address object group, by adding address objects to the same address object group used in Phase 2 in either local or remote subnets, caused the IPsec tunnel to go down. |
Scope | FortiGate IPsec IKEv1 and IKEv2. |
Solution |
IKE debug showed the below error 'TS_UNACCEPTABLE'. Please note output of the debug is truncated and IP addresses are replaced by x.x.x.x and y.y.y.y.
ike 0:Test-Spoke:Test-Spoke: IPsec SA connect 17 X.X.X.X->Y.Y.Y.Y:500 negotiating ike 0:Test-Spoke:3:12806 initiating CREATE_CHILD exchange ike 0:Test-Spoke:3:Test-Spoke:12806: PFS enabled ike 0:Test-Spoke:3: enc <TRUNCATED> ike 0:Test-Spoke:3: out <TRUNCATED> ike 0:Test-Spoke:3: sent IKE msg (CREATE_CHILD): X.X.X.X:500->Y.Y.Y.Y:500, len=272, id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013 ike 0: comes Y.Y.Y.Y:500->X.X.X.X:500,ifindex=17.... ike 0: IKEv2 exchange=CREATE_CHILD_RESPONSE id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013 len=80 ike 0: in <TRUNCATED> ike 0:Test-Spoke:3: dec E405986247F6BB7BD5D1CB50B6B0F1D52E2024200000001300000028290000040000000800000026 ike 0:Test-Spoke:3: received create-child response ike 0:Test-Spoke:3: initiator received CREATE_CHILD msg ike 0:Test-Spoke:3:Test-Spoke:12806: found child SA SPI 9a2071f7 state=3 ike 0:Test-Spoke:3: processing notify type TS_UNACCEPTABLE <- error message
The maximum number of supported IPsec phase 2 selectors for IKEv1 and IKEv2 is 255 subnets per named selector as of v5.4.1.
Usage of named selectors (src-name/ dst-name) is natively supported in IKEv2 because, per protocol design, it is possible to negotiate up to 255 source/destination subnets during a single Child (IPsec) SA negotiation.
To resolve this issue it is necessary to perform the following steps:
If none of the above steps are applicable, the message can also be caused by Phase 2 traffic selectors mismatch per RFC 5996:
If the responder's policy does not allow it to accept any part of the proposed Traffic Selectors, it responds with a TS_UNACCEPTABLE Notify message. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.