HQ has a WatchGuard M370 firewall. Working on setting up remote workers with UX’s or UDM’s depending on location.
Followed https://community.ui.com/questions/Site-to-Site-VPN-Unifi-to-Watchguard/d9a13f6b-10df-4d45-b5e9-4d32a755848c roughly (had to use SHA1-AES(128-bit) as 3DES is not an option anymore on the unifi side)
The BOVPN keys up and works for awhile, then crashes with “ERROR 0x021a0011 Received unacceptable traffic selector in CREATE_CHILD_SA request.” on the firewall side.
On the UX or UDM side, it is as follows:
- PSK is 8 characters
- local IP is the WAN IP of the UX/UDM (static)
- remote IP is the WAN IP of HQ (static)
- VPN type is Route Based
- Tunnel IP is not checked
- Remote Networks include the /24’s of the 2 VLANs at HQ that the UX/UDM needs to talk to
- IKEv2 for version
- IKE is AES-128, SHA1, DH14, 28800 lifespan
- ESP is AES-128, SHA1, DH14, 3600 lifespan
- PFS enabled
- Local ID is WAN IP of UX/UDM
- Remote IS is WAN IP of HQ
- MTU set to auto
- Route Distance set to 30
On HQ Side:
- Gateway set with same PSK, endpoints match WAN IPs of both sides,
- IKEv2 for version
- Phase 1 set to SHA1-AES(128-bit), DH14
- Tunnel set with local IP subnets matched to UX/UDM local subnets
- Phase 2 set with PFS enabled, DH14, ESP-AES128-SHA1
It will pass traffic for awhile, but then error out and I will need to manually kit the rekey option in the firewall to get the tunnel back up again.
Thoughts?
Try to test it without PFS
This suggests using a virtual interface when getting a similar issue with Azure?
Getting that error periodically, auto rekey doesn’t work, manual rekey does.
https://community.watchguard.com/watchguard-community/discussion/3177/bovpn-to-azure-received-unacceptable-traffic-selector-in-create-child-sa-request
Based on your description we have a VERY similar setup. I also experienced a VERY similar issue.
TLDR: (this is going to give you a headache, because it gave me one) Set your Unifi devices to Policy Based VPN. I know… it doesn’t make any sense - but it worked for us.
If that doesn’t work let me know and I can grab you some screenshots. Looking over your settings I can see we have some differences (We use IKE1 for example) - but I strong suspect it is the Route based vs Policy based.
I argued until I was blue in the face with Unifi support on this one - Our WatchGuards are setup for route based - but eventually I just gave up because nothing else (other than a batch file that would ping every site ever 30 minutes) worked to keep the connections alive.
I’ve had the same issue with a Watchguard M590 and UniFi Cloud Gateway Ultra. Switching to a BOVPN Virtual Interface seems to have resolved the issue.
Disabled PFS on both ends for 1 of the remote users, left the other enabled.
Same thing, both tunnels eventually dropped with the same error.
I have removed the BOVPN and switched to a BOVPN VIF, the tunnel remains up now, but I cant figure out how to route traffic. Tried OSPF, tried static, tried a few other things, all leading to dead ends.
I have a feeling it needs to be OSPF, but I cant seem to figure out the unifi side of it.