IKEv2 phase2 behaviour



  • After switching some tunnels to IKEv2 I have seen inconsistent behaviour in how phase2 SA's are shown in the status page. Some just have one entry with the local and remote subnets summed up, while others seem to use the old IKEv1 syle with different SA for every specified phase2 entry.
    It seems that the latter is causing some problems like some subnets are working while others are not.
    The only thing I can think of is this is dependant on the device on the other end, but I still don't get it.
    Anyone can say something about this?



  • Some pics here to make it clear. Hence, both are IKEv2 responders.
    With multiple SA's the tunnel seem to cause more problems. In order to solve that I tried disable rekeying, but it didn't help.
    Hope someone can explain the difference, maybe that's a hint how the problems can be solved.






  • No one seeing the same?



  • The difference is whether or not it has multiple traffic selectors on a single child SA. Which, as responder, will be dependent on what the other end is doing. What is the other end?



  • @cmb:

    The difference is whether or not it has multiple traffic selectors on a single child SA. Which, as responder, will be dependent on what the other end is doing. What is the other end?

    Sonicwall, don't know exactly what type as I don't control the other end.


Log in to reply