Category: Network Security / Tutorials Reading
Time: 5 Minutes

Introduction

Configuring an IPsec Site-to-Site VPN is a routine responsibility for network engineers, yet it is rarely seamless on the first attempt. Whether you are linking a Netgate 6100 at a headquarters location to a Netgate 1100 at a branch office, or creating a tunnel between pfSense and a FortiGate, IPsec logs often appear cryptic and overwhelming.

One of the most common and frustrating errors encountered during VPN setup is “Child SA not established.” At Mistral Networks, this issue is frequently reported during new firewall deployments and inter-vendor VPN integrations. This article explains what the error really means, why it occurs, and how to fix it step by step.

What Does “Child SA Not Established” Mean?

To understand this error, it is important to know how IPsec VPNs work. IPsec negotiations occur in two phases:

• Phase 1 (IKE – Internet Key Exchange):
  The firewalls authenticate each other and establish a secure management channel.
• Phase 2 (IPsec / ESP):
  One or more Child Security Associations (Child SAs) are created to carry actual user traffic between networks.

When the log message “Child SA not established” appears, it usually means Phase 1 completed successfully, but Phase 2 failed. In simple terms, the firewalls trust each other, but they cannot agree on how traffic should be encrypted or which networks are allowed to communicate.

Most Common Causes and How to Fix Them

1. Mismatched Phase 2 Encryption or Hash Algorithms

This is the number one cause of the error.

Each IPsec tunnel uses a proposal, which includes:

• Encryption algorithm (AES-128, AES-256, AES-GCM, etc.)
• Hash or integrity algorithm
• Key length

The problem:
If Site A is configured with AES-256-GCM, Site B cannot use AES-128 or a different hash method.

The fix:
Ensure that Phase 2 proposals match exactly on both sides.
In pfSense and Netgate firewalls, also confirm that the protocol (ESP vs AH) is identical.

2. Perfect Forward Secrecy (PFS) Mismatch

Perfect Forward Secrecy improves security by generating new keys at regular intervals.

The problem:
One firewall has PFS disabled, while the other expects a specific Diffie-Hellman group (for example, Group 14).

The fix:
Verify that the PFS Key Group setting in Phase 2 matches on both ends.
For troubleshooting, temporarily disable PFS on both sides to confirm connectivity, then re-enable it once the tunnel is stable.

3. Subnet or Traffic Selector Mismatch

IPsec is extremely strict about which subnets are permitted through the tunnel.

The problem:

• Site A defines traffic as 192.168.1.0/24 ↔ 10.0.0.0/24
• Site B expects 192.168.1.5/32 ↔ 10.0.0.0/24

Even a small mismatch will prevent the Child SA from forming.

The fix:
Check the Local Network and Remote Network settings in Phase 2.
They must be exact mirror images of each other on both firewalls.

Using Logs to Diagnose the Issue

On Netgate or pfSense devices, go to:

Status → System Logs → IPsec

Focus on log entries generated by charon.
If you see messages such as:

“Traffic selectors unacceptable”

This clearly indicates a subnet or traffic selector mismatch in Phase 2.

Conclusion

Reliable IPsec VPNs are the backbone of secure enterprise communication. While the “Child SA not established” error can be frustrating, it is almost always caused by a configuration mismatch, not faulty hardware.

By carefully verifying Phase 2 proposals, PFS settings, and subnet definitions, most VPN tunnels can be brought up quickly and reliably.

If you need assistance with multi-vendor VPNs, inter-LAN routing, or redundant VPN failover design, Mistral Networks specializes in Netgate and enterprise firewall integrations.
Contact us today for a professional audit and optimization of your network infrastructure.