BOVPN to Mikrotik Router - CREATE_CHILD_SA request error

Hey Guys,

we are planning to give out some IP phones to our colleagues for their homeoffice setup. The IP phones don't support a direct VPN connection. Because of that we are planning to use mikrotik routers (cheap and reliable) as a vpn router. Our Watchguard cluster in our office is a cluster of two M390´s which are connected through a 1GBit fibre connection from Versatel (Germany). I set up the BOVPN Tunnel on both sites with these instructions:


but i get the following error message on the Watchguard Firewall:

<155>May 20 11:00:57 iked[22882]: msg_id="021A-0011" (watchguard<->mikrotik)IKEv2 CREATE_CHILD_SA exchange from mikrotik:44066 to watchguard:4500 failed. Gateway-Endpoint='gateway.1'. Reason=Received unacceptable traffic selector in CREATE_CHILD_SA request.

The remote setup with the mikrotik is the following:

[watchguard]--[versatel]--[internet]--[vodafone]--[FritzBox]--[mikrotik vpn gateway]--[Switch]--...

Vodafone Germany is currently not giving out a private dynamic IPv4 Adresses to their customers. Vodafone Germany is using a DS Lite tunnel, so its like cgnat.Could that be a problem? Is anyone using the same setup with a mikrotik router or had the same issue?

Thanks in advance.

Many greetings from the country



  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    hI @yzimmer
    If the VPN is set up to use a dynamic IP address, this shouldn't keep the VPN from standing up.

    This type of issue might be best for a support case -- If you haven't done so already, I'd suggest opening a support case using the support center link at the top right of this page.

    If you do so, please include:
    -The config of the VPN on the WatchGuard side (or enable support access.)
    -A screenshot or description of the VPN settings on the remote client routers.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.