Site-to-Site IPSec VPN - CHILD_SA config '<name>' not found on

Created - Updated
Serhii Boiarynov
Idea generator
Great answers
Master (Platinum)
Print Friendly and PDF
Have more questions? Submit a request

This article explains when the error CHILD_SA config '<name>' not found can appear on Zyxel Firewalls, why it happens, and what steps can be taken to resolve it. The issue is usually not caused by wrong VPN settings, but by how the firewall internally creates the Phase 2 (Child SA) configuration.

f1f0008e-8168-44bc-9ca7-e2e3151a8f3b.png

Error description

When trying to establish a Site-to-Site IPSec VPN on a Zyxel Firewall, the following error message appear

Command failed: CHILD_SA config '<name>' not found

The error most often occurs when clicking the “Connect” button, even though all VPN parameters look correct in the GUI.

What does this error mean?

This error indicates that Phase 2 (Child SA) — the part of the VPN configuration that defines the local and remote subnets — was not created or not saved correctly inside the firewall.

Important notes:

  • Even if the correct networks are shown in the interface

  • Even if the same IP addresses are selected from the Address Book

The internal Child SA object may be missing or corrupted.

When does this issue happen most often?

This error is more common in the following scenarios:

  • The first VPN tunnel on a new or recently installed firewall

  • Using Address Book objects for Phase 2 selectors

  • Mixed environments, for example:

    • H-Series (Nebula-managed) ↔ USG Flex (standalone)

  • VPN configured through Nebula, while the remote device is not H-Series

  • The VPN configuration was created but not properly applied (Apply)

Why this happens

The firewall internally converts Phase 2 settings (local and remote networks) into Child SA entries.

In some cases:

  • The Child SA entries are not created

  • Or they are created incorrectly

  • Or they are not saved during the first setup

Because of this, when the firewall tries to connect, it cannot find the required Child SA and shows the error.

Recommended solution (step by step)

  • Remove the existing Site-to-Site VPN configuration on both devices

  • Create the VPN from scratch (Use the same parameters PSK, algorithms, networks)

Recommended configuration method

If the remote device is USG Flex (non H-Series, standalone):

  • Configure the VPN using the Local Web GUI

  • Use classic policy-based IPSec

This method provides better compatibility and more stable behavior than configuring the VPN through Nebula.

Check Phase 2 settings

Make sure that:

  • Local and remote subnets are correct

  • The subnets do not overlap

Address Book objects can be used, but if the problem continues:

  • Temporarily define the networks manually, without Address Book objects

Connect the tunnel again

  • Click Connect

  • In most cases, the error disappears immediately after recreating the tunnel

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.