OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: GaardenZwerch on July 17, 2018, 04:16:28 pm
-
Hi,
I have discovered weird behaviour with IPSec:
one local network needs to access two different networks behind the same remove IPSec gateway.
So I figured I create one Phase-1 entry and attach two phase-2 entries (one for each remote net) to it.
It won't work.
Desperate, I went ahead and created two exactly identical Phase-1 entries (same IPs, same shared secret) an attached one Phase-2 to each of them. Works like a charm. Is this expected behaviour?
See attached screenshots for clarity
-
Hello,
we use multiple phase 2 entries and it works fine. What IPsec software is on the other side? Do you have any log entries when it tries to establish the connection?
-
Hi,
the other end is CISCO.
here's the error I got when doing ipsec up conXX on the command line.
IKE_SA con2[21] established between [deleted IPs]
scheduling reauthentication in 2696s
maximum IKE_SA lifetime 3236s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
-
Can you try the phase 1 Tunnel Isolation mode? It should work... it's the same as adding multiple phase 1 with the same config with a single phase 2 on top. My FortiGate devices need this, otherwise they won't route more than one phase 2.
Cheers,
Franco
-
Thanks Franco,
that's it.
I will ask what exactly the other side runs, maybe you want to extend the documentation of the option.
Thanks a lot,
Frank
-
Can you clarify what exactly Cisco modell an version?
I run many VPNs with IOS routers very fine ..
-
Hi again,
for your info;
remote is a Cisco 3925 (with encryption board) running IOS 15.4.3M8
I consider my problem as solved.
Frank
-
Thanks!
I use the C886VA with the same IOS and it's working with multiple P2's without Tunnel Isolation, but good to know when there came problems in future.