IPsec Tunnel – One subnet works, second subnet fails (Traffic Selector Unaccepta

touhidur12 · September 20, 2025, 10:18:35 AM

I have configured an IPsec tunnel on OPNsense( new method connection). One subnet pair is working fine, but the second subnet cannot establish.

✅ Working:

192.168.100.0/24 === 192.168.27.0/24

❌ Not Working:

192.168.200.0/24 === 192.168.27.0/24

Log Output:

2025-09-20T07:57:40 charon 11[NET] <697fa25f...|2> received packet: from 95.143.207.190[4500] to 158.220.108.82[4500] (96 bytes)
2025-09-20T07:57:40 charon 11[NET] <9f5f81c2...|3> sending packet: from 158.220.108.82[4500] to 103.109.238.119[4500] (80 bytes)
2025-09-20T07:57:40 charon 11[ENC] <9f5f81c2...|3> generating CREATE_CHILD_SA response 9 [ N(TS_UNACCEPT) ]
2025-09-20T07:57:40 charon 11[IKE] <9f5f81c2...|3> failed to establish CHILD_SA, keeping IKE_SA
2025-09-20T07:57:40 charon 11[IKE] <9f5f81c2...|3> traffic selectors 192.168.200.0/24 === 192.168.101.0/24 unacceptable
2025-09-20T07:57:40 charon 11[ENC] <9f5f81c2...|3> parsed CREATE_CHILD_SA request 9 [ No KE SA TSi TSr ]

OPNsense Config (swanctl.conf):

local_ts = 192.168.100.0/24,192.168.200.0/24
remote_ts = 192.168.27.0/24

Question:

How can I configure multiple local subnets (192.168.100.0/24 and 192.168.200.0/24) to connect to the same remote subnet (192.168.27.0/24)?
Do I need to:

Split into separate child SAs, or

Change something on the remote peer side?

Any guidance would be appreciated.

Monviech (Cedrik) · September 20, 2025, 11:13:41 AM

Split into multiple separate children will fix this.

IPsec Tunnel – One subnet works, second subnet fails (Traffic Selector Unaccepta

touhidur12

September 20, 2025, 10:18:35 AM

Monviech (Cedrik)

September 20, 2025, 11:13:41 AM #1