|
IKE debug showed the below error 'TS_UNACCEPABLE'.
Please note output of the debug is truncated and IP addresses are replaced by x.x.x.x and y.y.y.y.
ike 0:Test-Spoke:Test-Spoke: IPsec SA connect 17 X.X.X.X->Y.Y.Y.Y:500 negotiating
ike 0:Test-Spoke:3:12806 initiating CREATE_CHILD exchange
ike 0:Test-Spoke:3:Test-Spoke:12806: PFS enabled
ike 0:Test-Spoke:3: enc <TRUNCATED>
ike 0:Test-Spoke:3: out <TRUNCATED>
ike 0:Test-Spoke:3: sent IKE msg (CREATE_CHILD): X.X.X.X:500->Y.Y.Y.Y:500, len=272, id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013
ike 0: comes Y.Y.Y.Y:500->X.X.X.X:500,ifindex=17....
ike 0: IKEv2 exchange=CREATE_CHILD_RESPONSE id=e405986247f6bb7b/d5d1cb50b6b0f1d5:00000013 len=80
ike 0: in <TRUNCATED>
ike 0:Test-Spoke:3: dec E405986247F6BB7BD5D1CB50B6B0F1D52E2024200000001300000028290000040000000800000026
ike 0:Test-Spoke:3: received create-child response
ike 0:Test-Spoke:3: initiator received CREATE_CHILD msg
ike 0:Test-Spoke:3:Test-Spoke:12806: found child SA SPI 9a2071f7 state=3
ike 0:Test-Spoke:3: processing notify type TS_UNACCEPTABLE <- error message
The maximum number of supported IPsec phase 2 selectors for IKEv1 and IKEv2 is 255 subnets per named selector as of FortiOS 5.4.1.
Usage of named selectors (src-name/ dst-name) is natively supported in IKEv2 because, per protocol design, it is possible to negotiate up to 255 source/destination subnets during a single Child (IPsec) SA negotiation.
To resolve this issue it is necessary to perform the below steps:
- Limit the number of addresses to less than 255 address objects in a single phase 2 selector.
- Create a second phase 2 selector, in the same IPsec tunnel, with the additional address objects as desired in local and/or remote subnets, less than 255 subnets, make sure to configure the same additional phase 2 selector on the remote end of the IPsec tunnel.
- Refresh the IPsec tunnel and all phase 2 selectors will become up.
|
