Multiple Phase2 entries does not seem to work in IPSec.
-
I have 2 phase 2 entries but only one works at a time . Some time both p2 works but i am not sure why this happens.
Listening IP addresses:
X.X.X.X
X.X.X.X
X.X.X.X
Connections:
con1000: X.X.X.X...X.X.X.X IKEv2
con1000: local: [X.X.X.X] uses pre-shared key authentication
con1000: remote: [X.X.X.X] uses pre-shared key authentication
con1000: child: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0 TUNNEL
con1001: child: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0 TUNNEL
Routed Connections:
con1001{28}: ROUTED, TUNNEL, reqid 3
con1001{28}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0
con1000{27}: ROUTED, TUNNEL, reqid 1
con1000{27}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0
Security Associations (2 up, 0 connecting):
con1000[3]: ESTABLISHED 11 minutes ago, X.X.X.X[X.X.X.X]...X.X.X.X[X.X.X.X]
con1000[3]: IKEv2 SPIs: 01129db8f2a17834_i* 9698e672f3e59914_r, pre-shared key reauthentication in 23 hours
con1000[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1000{30}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ceca2dee_i db4e1d4f_o
con1000{30}: AES_CBC_256/HMAC_SHA2_256_128, 868 bytes_i (16 pkts, 703s ago), 1760 bytes_o (16 pkts, 421s ago), rekeying in 7 hours
con1000{30}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0
con1000[2]: ESTABLISHED 11 minutes ago, X.X.X.X[X.X.X.X]...X.X.X.X[X.X.X.X]
con1000[2]: IKEv2 SPIs: 730214bbab75ff3a_i* 3d9b52be6f436a7f_r, pre-shared key reauthentication in 23 hours
con1000[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1001{29}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c1830a7a_i 1042387a_o
con1001{29}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 8060 bytes_o (69 pkts, 429s ago), rekeying in 7 hours
con1001{29}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0 -
You've masked out too much information. So much that it's impossible to tell what might be happening.
Are you using NAT on these? On both? Are both using the same NAT address and remote network?
If you could try it again but use a unique value corresponding to each address involved that would help.
If you are natting on both, that's sort of a known issue. (a.a.a.a NAT to b.b.b.b, remote z.z.z.z + a.a.a.c NAT to b.b.b.b, remote z.z.z.z), since to the other side it looks like one single P2 so it won't necessarily establish a new one.
-
Listening IP addresses:
y.y.y.y
172.31.1.60
10.10.10.1
Connections:
con1000: y.y.y.y...x.x.x.x IKEv2
con1000: local: [y.y.y.y] uses pre-shared key authentication
con1000: remote: [x.x.x.x] uses pre-shared key authentication
con1000: child: 10.255.68.201/32|172.31.1.91/32 === 172.25.116.79/32|/0 TUNNEL
con1001: child: 10.255.68.201/32|172.31.1.91/32 === 172.29.116.71/32|/0 TUNNEL
Routed Connections:
con1001{3}: ROUTED, TUNNEL, reqid 3
con1001{3}: 10.255.68.201/32|172.31.1.91/32 === 172.29.116.71/32|/0
con1000{2}: ROUTED, TUNNEL, reqid 2
con1000{2}: 10.255.68.201/32|172.31.1.91/32 === 172.25.116.79/32|/0
Security Associations (2 up, 0 connecting):
con1000[2]: ESTABLISHED 17 minutes ago, y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
con1000[2]: IKEv2 SPIs: 992902db969bef38_i* 32014dd909ca69e2_r, pre-shared key reauthentication in 23 hours
con1000[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1001{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c1cff00b_i 700aa3d1_o
con1001{5}: AES_CBC_256/HMAC_SHA2_256_128, 1064 bytes_i (20 pkts, 1057s ago), 2224 bytes_o (20 pkts, 115s ago), rekeying in 7 hours
con1001{5}: 10.255.68.201/32|172.31.1.91/32 === 172.29.116.71/32|/0
con1000[1]: ESTABLISHED 17 minutes ago, y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
con1000[1]: IKEv2 SPIs: 1fb87f4e5e23c80a_i* 117b188b169c98e2_r, pre-shared key reauthentication in 23 hours
con1000[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1000{4}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cda1876b_i 842a4278_o
con1000{4}: AES_CBC_256/HMAC_SHA2_256_128, 868 bytes_i (16 pkts, 1056s ago), 1760 bytes_o (16 pkts, 1015s ago), rekeying in 7 hours
con1000{4}: 10.255.68.201/32|172.31.1.91/32 === 172.25.116.79/32|/0x.x.x.x => remote gateway
y.y.y.y => router gatewat
-
@jimp said in Multiple Phase2 entries does not seem to work in IPSec.:
uld try it again but use a unique value corresponding to e
172.31.1.60 and 10.10.10.1 ip for lan interfaces
172.31.1.91<Nat>10.255.68.201