BOVPN to Azure, Received unacceptable traffic selector in CREATE_CHILD_SA request.

Hi,
I have setup a BOVPN from my M370 to Azure.
For some reason the tunnel gives me this error after trying to change it to Active after it has been inactive during the night.
""
IKEv2 CREATE_CHILD_SA exchange from xx.xx.xx.x:500 to xx.xx.xx.x:500 failed. Gateway-Endpoint:'aaa.azure.bbb.com'. Reason:Received unacceptable traffic selector in CREATE_CHILD_SA request.
""
If I just rekey the tunnel manually it goes up instantly without a problem.
This only occure afte the tunnel has been taken down because on no traffic for a longer period.
I have verified that both endpoints have to same setup. I have also tested different kinds of phase 1 and phase 2 to see if it makes any different, but it gives me the same result.
Anyone have a clue to why this happends?
I saw that WG prefer to setup a virtual interface instead of BOVPN, but I have not tried that yet.
Greatful for all tips and tricks about me problem.

//Pelle

Best Answer

  • james.carsonjames.carson Moderator, WatchGuard Representative
    Answer ✓

    You should set up a BOVPN Virtual interface. The firebox is expecting a specific route when the tunnel rekeys, and via a VIF (which is effectively what the distant end is using) the tunnel will be 0.0.0.0/0, which won't match what's in your standard BOVPN.

    The manual rekey works from the firebox itself because AWS accepts any route.

    -James Carson
    WatchGuard Customer Support

Answers

  • You could set up a periodic Ping down the tunnel to keep it up.

    There are many tools which can do this.

    In the past, I used Servers Alive to monitor my BOVPNs and other endpoints of interest , and to generate e-mails when they were down.
    https://www.woodstone.nu/salive/

  • Thanks a lot @james.carson
    I though I hade setup the VPN Gateway in Azure as policy_based, but it turned out to be route_based. Thats good, because I where able to replace the tunnel with your suggestion with rebuild the endpoint in Azure. I have not lost a ping since that. 👍

  • Hello,

    i have the same error. I have a Watchguard onprem and a Azure VPN Gateway. I configured the Azure VPN Gateway route-based. The tunnel seems to be active, until i send traffic.
    I am using already the virtual interface.

    Thank you
    Dennis

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @DennisL
    Are you getting any errors in traffic monitor related to the tunnel?
    If the tunnel shows as up, it means that is has negotiated as such with Azure-- the most common issue we run into is that Azure is not set up to handle that traffic.

    If you're unsure, I'd suggest creating a support case so one of our reps can look at your logs with you and help see what might be wrong.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.