https://community.sophos.com/sophos-xg-firewall/f/discussions/141453/ipsec-strongswan-creating-child_sa-failed-in-logsHello, I have IPSec site to site tunnel and I need to troubleshoot why at some point tunnel goes down and or traffic stops flowing. What means this part of log. At the moment tunnel is up and traffic is flowing. Other side has Fortinet firewall, myen-USTelligent Community 12https://community.sophos.com/thread/526508?ContentTypeID=1Tue, 25 Jul 2023 08:47:36 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:f9bfaa5c-e82b-41ed-b8c7-6b16cbe3f61cSreenivasulu Naidu<p>&nbsp;<a href="/members/carlo-v">Carlo</a>&nbsp;By default, route based IPsec VPN on SFOS chose &#39;dual&#39; stack, you can chose to have ipv4 only; probably you do not have ipv6 traffic selectors configured on Fortinet side, causing&nbsp;TS_UNACCEPTABLE, which is fine as SFOS side is not able to create IPv6 child SA and hence you are seeing this message. This is safe to ignore or you can keep ip version as ipv4 only.</p> <p>On Fortinet side, you would have probably used IPv4 subnets or Range for traffic selectors. This will narrow down the traffic selectors on SFOS side.&nbsp;</p><div style="clear:both;"></div>https://community.sophos.com/thread/526495?ContentTypeID=1Tue, 25 Jul 2023 06:38:45 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:5328286f-dd5f-4976-810e-e7cee89d330aCarlo<p>Hello. Thanks but it is route based vpn without subnets configured on profile ipsec connection. When you create tunnel interface by default is selected ip version &quot;dual&quot; and fields for entering subnets are disabled. I have sd-wan route that works.</p> <p></p> <p>And in that moment ipsec statusall</p> <p>Security Associations (2 up, 0 connecting):</p> <p>NAME-1{775}:&nbsp; &nbsp;10.xxx.xxx.xxx/32 === 10.xxx.xxx.xxx/32 10.xxx.xxx.xxx/32</p><div style="clear:both;"></div>https://community.sophos.com/thread/526447?ContentTypeID=1Mon, 24 Jul 2023 14:37:51 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:bcd830f6-f8b3-4f1a-8a85-20b7530350fdGiridhar Katti<p>The SA creation is failing because of incorrect traffic selectors and retry is happening every 60 secs. The below error log says it</p> <p>2023-07-24 08:06:55Z 24[IKE] &lt;NAME-1|41&gt; creating CHILD_SA failed, trying again in 67 seconds</p> <p>Maybe you need to check the traffic selector&nbsp;config in the ipsec profile.</p><div style="clear:both;"></div>https://community.sophos.com/thread/526428?ContentTypeID=1Mon, 24 Jul 2023 12:29:50 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:7ec04b05-4e9a-4380-9052-abfd05a092d1LuCar Toni<p>SFOS uses Strongswan. You can check the Strongswan Community for more insights:&nbsp;<a id="" href="https://wiki.strongswan.org/issues/2833">https://wiki.strongswan.org/issues/2833</a>&nbsp;</p> <p>tldr: seems to be a config issue.&nbsp;</p><div style="clear:both;"></div>https://community.sophos.com/thread/526414?ContentTypeID=1Mon, 24 Jul 2023 09:46:14 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:88498c44-abbc-40ac-8a70-15523da4dba8Carlo<p>This post is not about guessing what is wrong.&nbsp;</p> <p>I want to understand what this means</p> <p>2023-07-24 08:08:02Z 31[ENC] &lt;NAME-1|41&gt; parsed CREATE_CHILD_SA response 33 [ N(TS_UNACCEPT) ]<br />2023-07-24 08:08:02Z 31[IKE] &lt;NAME-1|41&gt; received TS_UNACCEPTABLE notify, no CHILD_SA built<br />2023-07-24 08:08:02Z 31[IKE] &lt;NAME-1|41&gt; creating CHILD_SA failed, trying again in 62 seconds</p> <p></p> <p>And why I am getting this every 60 sec even when tunnel is up and working</p><div style="clear:both;"></div>https://community.sophos.com/thread/526410?ContentTypeID=1Mon, 24 Jul 2023 09:12:53 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:a675eb31-ad94-413c-a52d-1bdb148a6cc0Bharat J<h2 id="tunnel-established-but-traffic-stops-later"></h2> <p><span>Sophos Firewall only supports time-based rekeying.</span>IPsec connection is established between a Sophos Firewall device and a third-party firewall. Traffic stops flowing after some time or getting logs as shared.</p> <ol> <li>Sign in to the CLI and click<span>&nbsp;</span><strong>5</strong><span>&nbsp;</span>for<span>&nbsp;</span><strong>Device management</strong><span>&nbsp;</span>and then click<span>&nbsp;</span><strong>3</strong><span>&nbsp;</span>for<span>&nbsp;</span><strong>Advanced shell</strong>.</li> <li> <p>Enter the following command:<span>&nbsp;</span><code>ipsec statusall</code></p> <p>The output shows that IPSec SAs have been established.</p> </li> <li> <p>Enter the following command:<span>&nbsp;</span><code>ip xfrm state</code></p> <p>The output shows the transform sets for the VPN exist, that is, the SAs match.</p> </li> <li> <p>To prevent key exchange collisions, follow these guidelines:</p> <ul> <li>Set the initiator&#39;s phase 1 and phase 2 key life values lower than the responder&#39;s.</li> <li>Set the phase 2 key life lower than the phase 1 value in both firewalls.</li> </ul> <p>Example values are as follows:</p> <div> <div> <table> <thead> <tr> <th><strong>Key life</strong></th> <th><strong>Firewall 1</strong></th> <th><strong>Firewall 2</strong></th> </tr> </thead> <tbody> <tr> <td><strong>Phase 1</strong></td> <td>12600 seconds</td> <td>10800 seconds</td> </tr> <tr> <td><strong>Phase 2</strong></td> <td>5400 seconds</td> <td>3600 seconds</td> </tr> </tbody> </table> </div> </div> </li> <li> <p>Sophos Firewall only supports time-based rekeying. If you configured traffic-based rekeying on the third-party remote firewall, change it to time-based rekeying.</p> </li> </ol> <p>Please add local-id and remote-id on the IPsec VPN tunnel on both sides as agreed.</p> <p>Regards</p><div style="clear:both;"></div>https://community.sophos.com/thread/526405?ContentTypeID=1Mon, 24 Jul 2023 08:51:39 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:6988943f-f124-4560-a4aa-66a485995b25Carlo<pre id="tw-target-text" dir="ltr" data-placeholder="Prijevod"><span lang="en">Perhaps it is worth mentioning that the tunnel is up, traffic is flowing, it just gets re-keyed again. Then why do I see it in the logs.</span></pre><div style="clear:both;"></div>https://community.sophos.com/thread/526398?ContentTypeID=1Mon, 24 Jul 2023 08:28:03 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:2e85da06-6667-41ce-aaa8-e9677162ee8bCarlo<p>Not really. I asked what does this line mean&nbsp;</p> <p></p> <p><pre class="ui-code" data-mode="text">creating CHILD_SA failed</pre></p><div style="clear:both;"></div>https://community.sophos.com/thread/526395?ContentTypeID=1Mon, 24 Jul 2023 08:23:30 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:2142ab1e-dac6-4884-ad42-0b56ff81cc01Bharat J<p>Hi Carlo</p> <p>Hope below link might help to fix the issue&nbsp;</p> <p><a href="https://support.sophos.com/support/s/article/KB-000038566?language=en_US">Sophos Firewall: IPsec troubleshooting and most common errors</a></p> <p>Regards</p><div style="clear:both;"></div>