IPSEC Not supporting multiple phase2's
-
I have a situation where I am running a VPN that has 2 phase2 assignments. The weird thing is that individually either phase2 works but if they are both enabled at the same time one will fail completely and the other bounces. I am not sure if this is a limitation of IPSEC or I am doing something wrong.
Under status -> IPSEC -> SPD tab these are the routes when one is disabled.
205.x.x.134 -> 209.x.x.24
209.x.x.24 -> 205.x.x.134However when both routes are enabled under SPD there are 8 routes
205.x.x.134 -> 209.x.x.24
209.x.x.24 -> 205.x.x.134
205.x.x.151 -> 209.x.x.24
209.x.x.24 -> 205.x.x.151
205.x.x.134 -> 208.x.x.18
208.x.x.18 -> 205.x.x.134
205.x.x.151 -> 208.x.x.18
208.x.x.18 -> 205.x.x.151Basically all permutations of all the available routes. I believe this is part of the problem but I don't know what to do to fix it. Any suggestions?
Cloudkicker
-
IKEv1 or v2? What's the remote endpoint running?
-
It is set to Auto but when it comes up it says that it settles on IKEv1. The other endpoint is a cisco device of some kind.
This is the configuration from the far end.
From Atlanta VPN (v001-atl-syn (65.X.X.8 ))
v001-atl-syn#sho access-lists ACL_Comspan_Roseburg
Extended IP access list ACL_Comspan_Roseburg
10 permit ip host 205.X.X.134 host 209.X.X.24 (8219763 matches)
20 permit ip host 205.X.X.151 host 208.X.X.18 (2044859 matches)
v001-atl-syn#show crypto session remote 209.X.X.161 detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Uptime: 00:24:47
Session status: UP-ACTIVE
Peer: 209.X.X.161 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.X.X.161
Desc: (none)
IKE SA: local 65.X.X.8/500 remote 209.X.X.161/500 Active
Capabilities:(none) connid:8533 lifetime:23:35:12
IPSEC FLOW: permit ip host 205.X.X.151 host 208.X.X.18
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 761745 drop 318319 life (KB/Sec) 4576063/2112
Outbound: #pkts enc'ed 946711 drop 2933 life (KB/Sec) 4575988/2112
IPSEC FLOW: permit ip host 205.X.X.134 host 209.X.X.24
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1893459 drop 347471 life (KB/Sec) 4592693/2112
Outbound: #pkts enc'ed 2066430 drop 1063 life (KB/Sec) 4592933/2112
-
You don't want to set it to auto in that case, it sounds like it's configured for IKEv1 on the other end, which means any attempts you make on your side with auto will fail. Set it to IKEv1.