IPSEC Not supporting multiple phase2's



  • I have a situation where I am running a VPN that has 2 phase2 assignments.  The weird thing is that individually either phase2 works but if they are both enabled at the same time one will fail completely and the other bounces.  I am not sure if this is a limitation of IPSEC or I am doing something wrong.

    Under status -> IPSEC -> SPD tab these are the routes when one is disabled.

    205.x.x.134 -> 209.x.x.24
    209.x.x.24 -> 205.x.x.134

    However when both routes are enabled under SPD there are 8 routes

    205.x.x.134 -> 209.x.x.24
    209.x.x.24 -> 205.x.x.134
    205.x.x.151 -> 209.x.x.24
    209.x.x.24 -> 205.x.x.151
    205.x.x.134 -> 208.x.x.18
    208.x.x.18 -> 205.x.x.134
    205.x.x.151 -> 208.x.x.18
    208.x.x.18 -> 205.x.x.151

    Basically all permutations of all the available routes.  I believe this is part of the problem but I don't know what to do to fix it.  Any suggestions?

    Cloudkicker



  • IKEv1 or v2? What's the remote endpoint running?



  • It is set to Auto but when it comes up it says that it settles on IKEv1.  The other endpoint is a cisco device of some kind.

    This is the configuration from the far end.

    From Atlanta VPN (v001-atl-syn (65.X.X.8 ))

    v001-atl-syn#sho access-lists ACL_Comspan_Roseburg

    Extended IP access list ACL_Comspan_Roseburg

    10 permit ip host 205.X.X.134 host 209.X.X.24 (8219763 matches)

    20 permit ip host 205.X.X.151 host 208.X.X.18 (2044859 matches)

    v001-atl-syn#show crypto session remote 209.X.X.161 detail

    Crypto session current status

    Code: C - IKE Configuration mode, D - Dead Peer Detection

    K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

    X - IKE Extended Authentication, F - IKE Fragmentation

    Interface: GigabitEthernet0/0

    Uptime: 00:24:47

    Session status: UP-ACTIVE

    Peer: 209.X.X.161 port 500 fvrf: (none) ivrf: (none)

    Phase1_id: 209.X.X.161

    Desc: (none)

    IKE SA: local 65.X.X.8/500 remote 209.X.X.161/500 Active

    Capabilities:(none) connid:8533 lifetime:23:35:12

    IPSEC FLOW: permit ip host 205.X.X.151 host 208.X.X.18

    Active SAs: 2, origin: crypto map

    Inbound:  #pkts dec'ed 761745 drop 318319 life (KB/Sec) 4576063/2112

    Outbound: #pkts enc'ed 946711 drop 2933 life (KB/Sec) 4575988/2112

    IPSEC FLOW: permit ip host 205.X.X.134 host 209.X.X.24

    Active SAs: 2, origin: crypto map

    Inbound:  #pkts dec'ed 1893459 drop 347471 life (KB/Sec) 4592693/2112

    Outbound: #pkts enc'ed 2066430 drop 1063 life (KB/Sec) 4592933/2112



  • You don't want to set it to auto in that case, it sounds like it's configured for IKEv1 on the other end, which means any attempts you make on your side with auto will fail. Set it to IKEv1.