OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: GaardenZwerch on September 17, 2019, 02:21:55 pm
-
Hi,
I have trouble getting an IPSec connection to a Cisco: I need several phase2 tunnels (and NAT on my side). When I uncheck 'Tunnel Isolation' in phase1, the connection fails with
received TS_UNACCEPTABLE notify, no CHILD_SA builtwhen I check 'Tunnel isolation' (no other change to the config), then each phase2 can be brought up without a problem, but this brings other problems described here
https://forum.opnsense.org/index.php?topic=14240.0
Thanks for any hints,
Frank
-
weirdly enough,
if I create two identical Phase1, each with one Phase2, I get the same error.
If I check 'Tunnel Isolation' on both Phase1, it works. The resulting ipsec.conf is basically identical in that case,
except that conX is broken into conX and conX-000
but all params are the same.
Unfortunately my problem is not solved by this, because as soon as I configure 'Manual SPD's that I need, traffic gets routed with the wrong SPIs, as described here: https://forum.opnsense.org/index.php?topic=14240.0
-
Sorry if I'm chatting with myself here, but I just found out that Cisco says this can't be done (screenshot)
-
You splitted you problem in two threads, hard to follow.
Is there a workaround listed in Cisco Bug?
-
You splitted you problem in two threads, hard to follow.
It's because I believe they are two distinct problems. But solving either one would get me what I need ;)
Is there a workaround listed in Cisco Bug?
Yes:
A broader crypto ACL can be configured to have only one line in the ACL.
Also, if feasible, a VTI can be used when both endpoints support route based IKEv2 IPSec tunnels.
In my case, both suggestions are the same ;-)
I need parts in 10.x, 192.168.x, as well as a 'non-private-but-only-used-internally-Class-B'. So 0/0 would match that.
Route based ipsec is what we will try next.
-
Good idea! :)