Marco Berizzi
2018-09-05 16:17:06 UTC
I have successfully established an ipsec IKEv2 tunnel
with a fortigate 1200D/FortiOS v5.2.4
It is the first device where I'm able to get multiple
pair of selectors per CHILD_SA.
The tricky thing to pay attention, is the comma separated
list sequence, in the remote_ts parameter.
For example, this sequence was rejected by the remote
peer:
remote_ts = 192.168.32.0/24,10.20.29.75/32
with the following error message:
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
instead the following one was working:
remote_ts = 10.20.29.75/32,192.168.32.0/24
Is this the expected behavior by RFC?
with a fortigate 1200D/FortiOS v5.2.4
It is the first device where I'm able to get multiple
pair of selectors per CHILD_SA.
The tricky thing to pay attention, is the comma separated
list sequence, in the remote_ts parameter.
For example, this sequence was rejected by the remote
peer:
remote_ts = 192.168.32.0/24,10.20.29.75/32
with the following error message:
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
instead the following one was working:
remote_ts = 10.20.29.75/32,192.168.32.0/24
Is this the expected behavior by RFC?