IPSEC issue failed to establish CHILD_SA, with RUTM50

kwabena35 · February 7, 2025, 7:07pm

We created a tunnel and confirm it is live, but when configure RUTM50 this is the log we receive:
27796 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 07[IKE] <ClarkRD3|1> initiating IKE_SA ClarkRD3[1] to 69.211.227.65
27797 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 07[CFG] <ClarkRD3|1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
27798 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 07[CFG] <ClarkRD3|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity
27799 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 07[ENC] <ClarkRD3|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
27800 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 07[NET] <ClarkRD3|1> sending packet: from 107.91.73.100[500] to 69.211.227.65[500] (1112 bytes)
27805 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[NET] <ClarkRD3|1> received packet: from 69.211.227.65[500] to 107.91.73.100[500] (679 bytes)
27806 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[ENC] <ClarkRD3|1> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
27807 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[IKE] <ClarkRD3|1> received Cisco Delete Reason vendor ID
27808 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[IKE] <ClarkRD3|1> received Cisco Copyright (c) 2009 vendor ID
27809 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[IKE] <ClarkRD3|1> received FRAGMENTATION vendor ID
27810 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> selecting proposal:
27811 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> proposal matches
27812 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
27813 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
27814 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
27815 Fri Feb 7 12:09:22 2025 daemon.info ipsec: 14[IKE] <ClarkRD3|1> received 5 cert requests for an unknown ca
27816 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[IKE] <ClarkRD3|1> authentication of ‘107.91.73.100’ (myself) with pre-shared key
27817 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> proposing traffic selectors for us:
27818 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> 10.0.16.0/24
27819 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> proposing traffic selectors for other:
27820 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> 192.168.250.0/24
27821 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[CFG] <ClarkRD3|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
27822 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[IKE] <ClarkRD3|1> establishing CHILD_SA ClarkRD3_c_0{1}
27823 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[ENC] <ClarkRD3|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
27824 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 14[NET] <ClarkRD3|1> sending packet: from 107.91.73.100[4500] to 69.211.227.65[4500] (352 bytes)
27825 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[NET] <ClarkRD3|1> received packet: from 69.211.227.65[4500] to 107.91.73.100[4500] (208 bytes)
27826 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[ENC] <ClarkRD3|1> parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]
27827 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[IKE] <ClarkRD3|1> authentication of ‘69.211.227.65’ with pre-shared key successful
27828 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[IKE] <ClarkRD3|1> IKE_SA ClarkRD3[1] established between 107.91.73.100[107.91.73.100]…69.211.227.65[69.211.227.65]
27829 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[IKE] <ClarkRD3|1> scheduling rekeying in 2918s
27830 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[IKE] <ClarkRD3|1> maximum IKE_SA lifetime 3218s
27831 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[IKE] <ClarkRD3|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
27832 Fri Feb 7 12:09:23 2025 daemon.info ipsec: 05[IKE] <ClarkRD3|1> failed to establish CHILD_SA, keeping IKE_SA
has context menu

Martynas · March 25, 2025, 10:50am

Hello,

Thank you for reaching out, and apologies for a delayed response.

Could you please confirm whether the initial issue still persists? If so, could you verify if the remote subnet on your RUTM50 IPsec settigns is configured correctly?

Additionally, I would recommend double-checking the following:

PSK (Pre-Shared Key) – ensure it matches on both ends of the connection.
IKE Versions – Your logs show that IKEv2 is in use. Make sure that IKEv2 is configured on both ends, as mismatched versions could cause issues.
Phase 2 Encryption Settings – From the logs, I see AES256/SHA512 is configured. Please verify that these settings match on both ends.

For further troubleshooting, I recommend reviewing this IPsec configuration example between RUT and Cisco devices: Setting up an IPsec tunnel between RUTX and Cisco device. This guide may provide additional insights into your configuration.

Please feel free to share any updates.

Best regards,