I have configured an IPsec tunnel on OPNsense( new method connection). One subnet pair is working fine, but the second subnet cannot establish.
✅ Working:
192.168.100.0/24 === 192.168.27.0/24
❌ Not Working:
192.168.200.0/24 === 192.168.27.0/24
Log Output:
2025-09-20T07:57:40 charon 11[NET] <697fa25f...|2> received packet: from 95.143.207.190[4500] to 158.220.108.82[4500] (96 bytes)
2025-09-20T07:57:40 charon 11[NET] <9f5f81c2...|3> sending packet: from 158.220.108.82[4500] to 103.109.238.119[4500] (80 bytes)
2025-09-20T07:57:40 charon 11[ENC] <9f5f81c2...|3> generating CREATE_CHILD_SA response 9 [ N(TS_UNACCEPT) ]
2025-09-20T07:57:40 charon 11[IKE] <9f5f81c2...|3> failed to establish CHILD_SA, keeping IKE_SA
2025-09-20T07:57:40 charon 11[IKE] <9f5f81c2...|3> traffic selectors 192.168.200.0/24 === 192.168.101.0/24 unacceptable
2025-09-20T07:57:40 charon 11[ENC] <9f5f81c2...|3> parsed CREATE_CHILD_SA request 9 [ No KE SA TSi TSr ]
OPNsense Config (swanctl.conf):
local_ts = 192.168.100.0/24,192.168.200.0/24
remote_ts = 192.168.27.0/24
Question:
How can I configure multiple local subnets (192.168.100.0/24 and 192.168.200.0/24) to connect to the same remote subnet (192.168.27.0/24)?
Do I need to:
Split into separate child SAs, or
Change something on the remote peer side?
Any guidance would be appreciated.
Split into multiple separate children will fix this.