[SOLVED] IPSec Bug?

[GaardenZwerch]

Hi,

I have discovered weird behaviour with IPSec:
one local network needs to access two different networks behind the same remove IPSec gateway.
So I figured I create one Phase-1 entry and attach two phase-2 entries (one for each remote net) to it.
It won't work.

Desperate, I went ahead and created two exactly identical Phase-1 entries (same IPs, same shared secret) an attached one Phase-2 to each of them. Works like a charm. Is this expected behaviour?

See attached screenshots for clarity

[camouflageX]

Hello,

we use multiple phase 2 entries and it works fine. What IPsec software is on the other side? Do you have any log entries when it tries to establish the connection?

[GaardenZwerch]

Hi,

the other end is CISCO.

here's the error I got when doing ipsec up conXX on the command line.

IKE_SA con2[21] established between [deleted IPs]
scheduling reauthentication in 2696s
maximum IKE_SA lifetime 3236s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

[franco]

Can you try the phase 1 Tunnel Isolation mode? It should work... it's the same as adding multiple phase 1 with the same config with a single phase 2 on top. My FortiGate devices need this, otherwise they won't route more than one phase 2.


Cheers,
Franco

[GaardenZwerch]

Thanks Franco,
that's it.
I will ask what exactly the other side runs, maybe you want to extend the documentation of the option.

Thanks a lot,

Frank

[mimugmail]

Can you clarify what exactly Cisco modell an version?
I run many VPNs with IOS routers very fine ..

[GaardenZwerch]

Hi again,
for your info;
remote is a Cisco 3925 (with encryption board) running IOS 15.4.3M8

I consider my problem as solved.

Frank

[mimugmail]

Thanks!

I use the C886VA with the same IOS and it's working with multiple P2's without Tunnel Isolation, but good to know when there came problems in future.