BOVPN VIF from cloud managed to locally managed firebox
Hello,
I am struggling to establish a connection between cloud-based firebox and locally managed one. my logs are%
25-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)******** RECV an IKE packet at XXX.XXX.XXX.94:500(socket=14 ifIndex=4) from Peer XXX.XXX.XXX.86:500 ********
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Received IKEv2 "CREATE_CHILD_SA response" message with message-ID:11 length:480 SPI[i=003f59e5ac1aa8e7 r=721e0c1074f400c6]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)"CREATE_CHILD_SA response" message has 1 payloads [ ENCR(sz=452)]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Got IKE policy 'BovpnVif.1' from ikeSA(0x21d7f278)
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)"CREATE_CHILD_SA response" message has 5 payloads [ SA(sz=52) NONCE(sz=36) KE(sz=264) TSi(sz=24) TSr(sz=24)]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)IKEv2 "CREATE_CHILD_SA response"'s decrypted message contains 5 payloads [ SA(sz=52) NONCE(sz=36) KE(sz=264) TSi(sz=24) TSr(sz=24)]
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)dispatch the received CREATE_CHILD_SA response message - IkeSA(0x21d7f278)'s state=MATURE
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Peer proposed selector[1/1]: from[0-255.255.255.255/0-65535] <-> to[0-255.255.255.255/0-65535], proto=47
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)BVPN-VIF: bvpn interface enabled. use IP(XXX.XXX.XXX.94) as local to match IP in received selector (0)
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)IKEv2 CREATE_CHILD_SA exchange from XXX.XXX.XXX.86:500 to XXX.XXX.XXX.94:500 failed. Gateway-Endpoint='BovpnVif.1'. Reason=Received unacceptable traffic selector in CREATE_CHILD_SA response.
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)delete childState(0x21d82988) and free SPI nodes
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)childState(0x21d82988) state change: EXCHANGING ==> DEL, reason: "Free the Child State"
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)stop the retry object(0x21d59b88) for the previous request message(name=CREATE_CHILD_SA request, msgId=11)
2025-08-03 01:00:21 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)******** RECV an IKE packet at XXX.XXX.XXX.94:500(socket=14 ifIndex=4) from Peer XXX.XXX.XXX.86:500 ********
2025-08-03 01:00:21 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Received IKEv2 "INFO request" message with message-ID:13 length:80 SPI[i=003f59e5ac1aa8e7 r=721e0c1074f400c6]
I understand that error is initiated by cloud based FB here
2025-08-03 01:00:11 iked (XXX.XXX.XXX.94<->XXX.XXX.XXX.86)Peer proposed selector[1/1]: from[0-255.255.255.255/0-65535] <-> to[0-255.255.255.255/0-65535], proto=47
but I do not understand where to fix this. My networks for VIF are 192.168.21.0/24 ol locally managed and 192.168.61.0/24 on cloud managed FB. I triple checked that phase 2 is identical on both machines.
Any help is highly appreciated !
thanks
Comments
Hi @Leonid
The log here isn't telling me much aside from
Received unacceptable traffic selector in CREATE_CHILD_SA response.
The SA is established in phase 2, so that's likely where the issue is.
If you're using IKEv2, you may be using the IKEv2 shared settings. If your listed settings are the same that'd be my guess as to what's happening.
See:
(Configure IKEv2 Shared Settings)
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/bovpn/manual/ikev2_shared_settings_about_c.html
If you haven't already done so, creating a support case will allow one of our support reps to assist.
-James Carson
WatchGuard Customer Support
Hi @james.carson thank you for the reply. I checked again settings and found that my locally managed firebox had "another firebox" setting instead of "Cloud managed or third-party" in VIF interface. Now VIF it is up and running!
Meanwhile I am now getting error
Deny 192.168.21.11 XXX.XXX.XXX.139 33450/udp 47173 33450 VIF Firebox ip spoofing sites 40 5 (Internal Policy)
where 192.168.21.11 is IP from local managed FB and XXX.XXX.XXX.139 is a site I am trying to reach via VIF and cloud managed one.
Do you have 192.168.21.x defined anywhere else in your config?
Spoofing means that the source IP addr (192.168.21.11) is not expected to be seen on the interface that it came from (VIF).
No, I do not. I tried to assign 192.168.21.1/24 on Cloud to trick it to believe it is legit, but failed. So no, only one interface with 192.168.21.x
Spoofing means the firewall received traffic from an IP on an interface that it was not expecting. The source IP for that traffic likely doesn't match the subnet of that interface.
-James Carson
WatchGuard Customer Support
Time for a support case….
yes, well, I'm already there, just not too much feedback from WG side. Probably weekend..