IPSec only one phase 2 working
-
Hello,
I am connecting a branch to a Cisco ASA at our head end data center. I have replicated this configuration a few times at other branches without issue but am stuck at our new site.
I have two networks internally:
- Data 10.225.172.0/24
- Voice 10.225.172.0/24
I have my phase 1 entry stood up and functioning. My phase 2's are also connected and showing online.
Remote subnet entry for both phase 2's is 10.0.0.0/8
The voice network functions without issue even after re-building the tunnel multiple times. The data network is unreachable from the data center and we cannot ping the IPs from the branch to the data center. Firewall rules for testing are set to any/any on both the data and voice network as well as the ipsec tab on the firewall.
I tried to follow the ipsec troubleshooting steps in the netgate documentation but could not identify the issue. Is there something specific in the logs I should be looking for that will tell a story in terms of what's going on?
Thanks all!
-
@spearhead1 said in IPSec only one phase 2 working:
...I have two networks internally:
- Data 10.225.172.0/24
- Voice 10.225.172.0/24
For me this looks like you have the same network for both Data and Voice.
Kind regards,
Mathias -
@mamawe correction . Voice network is .173. My apologies.
-
@spearhead1 said in IPSec only one phase 2 working:
Hello,
I am connecting a branch to a Cisco ASA at our head end data center. I have replicated this configuration a few times at other branches without issue but am stuck at our new site.
I have two networks internally:
- Data 10.225.172.0/24
- Voice 10.225.172.0/24
I have my phase 1 entry stood up and functioning. My phase 2's are also connected and showing online.
Remote subnet entry for both phase 2's is 10.0.0.0/8
The voice network functions without issue even after re-building the tunnel multiple times. The data network is unreachable from the data center and we cannot ping the IPs from the branch to the data center. Firewall rules for testing are set to any/any on both the data and voice network as well as the ipsec tab on the firewall.
I tried to follow the ipsec troubleshooting steps in the netgate documentation but could not identify the issue. Is there something specific in the logs I should be looking for that will tell a story in terms of what's going on?
Thanks all!
Edit: Sorry - I think i misunderstood your post details.
Why don’t you just use one Phase 2 with:
Local 10.225.172.0/23. Remote 10.0.0.0/8 -
@spearhead1 As you say that both phase 2 SA are connected, can you see packets going out when you go to Status / IPsec / Overview and click on + Show chiild SA entries?
If not, can you see the unencrypted traffic coming from 10.225.172.0/24 in a packet capture?
If yes, can you confirm that this is the right traffic by doing a packet capture on the IPsec interface?