Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Not supporting multiple phase2's

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 980 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cloudkicker
      last edited by

      I have a situation where I am running a VPN that has 2 phase2 assignments.  The weird thing is that individually either phase2 works but if they are both enabled at the same time one will fail completely and the other bounces.  I am not sure if this is a limitation of IPSEC or I am doing something wrong.

      Under status -> IPSEC -> SPD tab these are the routes when one is disabled.

      205.x.x.134 -> 209.x.x.24
      209.x.x.24 -> 205.x.x.134

      However when both routes are enabled under SPD there are 8 routes

      205.x.x.134 -> 209.x.x.24
      209.x.x.24 -> 205.x.x.134
      205.x.x.151 -> 209.x.x.24
      209.x.x.24 -> 205.x.x.151
      205.x.x.134 -> 208.x.x.18
      208.x.x.18 -> 205.x.x.134
      205.x.x.151 -> 208.x.x.18
      208.x.x.18 -> 205.x.x.151

      Basically all permutations of all the available routes.  I believe this is part of the problem but I don't know what to do to fix it.  Any suggestions?

      Cloudkicker

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        IKEv1 or v2? What's the remote endpoint running?

        1 Reply Last reply Reply Quote 0
        • C
          Cloudkicker
          last edited by

          It is set to Auto but when it comes up it says that it settles on IKEv1.  The other endpoint is a cisco device of some kind.

          This is the configuration from the far end.

          From Atlanta VPN (v001-atl-syn (65.X.X.8 ))

          v001-atl-syn#sho access-lists ACL_Comspan_Roseburg

          Extended IP access list ACL_Comspan_Roseburg

          10 permit ip host 205.X.X.134 host 209.X.X.24 (8219763 matches)

          20 permit ip host 205.X.X.151 host 208.X.X.18 (2044859 matches)

          v001-atl-syn#show crypto session remote 209.X.X.161 detail

          Crypto session current status

          Code: C - IKE Configuration mode, D - Dead Peer Detection

          K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

          X - IKE Extended Authentication, F - IKE Fragmentation

          Interface: GigabitEthernet0/0

          Uptime: 00:24:47

          Session status: UP-ACTIVE

          Peer: 209.X.X.161 port 500 fvrf: (none) ivrf: (none)

          Phase1_id: 209.X.X.161

          Desc: (none)

          IKE SA: local 65.X.X.8/500 remote 209.X.X.161/500 Active

          Capabilities:(none) connid:8533 lifetime:23:35:12

          IPSEC FLOW: permit ip host 205.X.X.151 host 208.X.X.18

          Active SAs: 2, origin: crypto map

          Inbound:  #pkts dec'ed 761745 drop 318319 life (KB/Sec) 4576063/2112

          Outbound: #pkts enc'ed 946711 drop 2933 life (KB/Sec) 4575988/2112

          IPSEC FLOW: permit ip host 205.X.X.134 host 209.X.X.24

          Active SAs: 2, origin: crypto map

          Inbound:  #pkts dec'ed 1893459 drop 347471 life (KB/Sec) 4592693/2112

          Outbound: #pkts enc'ed 2066430 drop 1063 life (KB/Sec) 4592933/2112

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            You don't want to set it to auto in that case, it sounds like it's configured for IKEv1 on the other end, which means any attempts you make on your side with auto will fail. Set it to IKEv1.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.