• In the NSX for vSphere environment you have an IPSec VPN setup we see unable to configure The IPSEC. Its a working setup, client added a new IP to IPSEC policy based VPN..
• This is observed after adding a new IP range to the IPSec VPN Tunnel .
• Post which we see this error message in the  : " Syslog.9:308276:2025-05-09T16:07:00.819Z edge##5-10181b.vxx1c.##c.xx.us NSX 3112837 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="INFO"] Request for IPSEC tunnel status update : tunnel: 8196, rule: 536872018, local_ip: 147.1##.##.##, peer_ip: 20#.##.##.1## inbound_spi: 0x0, outbound_spi: 0x0 status: IPSEC_STATUS_DOWN, error: TS unacceptable
  syslog.9:308615:2025-05-09T16:07:01.195Z edge1##-10181b.##1c.pcc.XX.us NSX 3112837 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"]   Message: TS unacceptable (38)

VMware NSX-T

The debugs indicate that the remote end did not find on Vendor's proposed traffic selectors (TS) acceptable due to a possible mismatch in the traffic selectors on the Vendor and the remote end

Workaround:

• Use individual TS pairs such that one SA is negotiated for each pair of Traffic Selectors.
• If the remote device supports it, use 0.0.0.0/0.0.0.0 to 0.0.0.0/0.0.0.0 as the Traffic Selectors. This simplifies the configuration, especially when there are a large number of TS pairs. Routes and policies can be used to restrict and control exactly what networks are accessible, along with controlling what services are open on those networks.