Multiple phase2, Cisco, and Tunnel Isolation

[GaardenZwerch]

Hi,

I have trouble getting an IPSec connection to a Cisco: I need several phase2 tunnels (and NAT on my side). When I uncheck 'Tunnel Isolation' in phase1, the connection fails with

Code: [Select]

received TS_UNACCEPTABLE notify, no CHILD_SA builtwhen I check 'Tunnel isolation' (no other change to the config), then each phase2 can be brought up without a problem, but this brings other problems described here

https://forum.opnsense.org/index.php?topic=14240.0

Thanks for any hints,
Frank

[GaardenZwerch]

weirdly enough,
if I create two identical Phase1, each with one Phase2, I get the same error.
If I check 'Tunnel Isolation' on both Phase1, it works. The resulting ipsec.conf is basically identical in that case,
except that conX is broken into conX  and conX-000
but all params are the same.

Unfortunately my problem is not solved by this, because as soon as I configure 'Manual SPD's that I need, traffic gets routed with the wrong SPIs, as described here: https://forum.opnsense.org/index.php?topic=14240.0

[GaardenZwerch]

Sorry if I'm chatting with myself here, but I just found out that Cisco says this can't be done (screenshot)

[mimugmail]

You splitted you problem in two threads, hard to follow.
Is there a workaround listed in Cisco Bug?

[GaardenZwerch]

You splitted you problem in two threads, hard to follow.

It's because I believe they are two distinct problems. But solving either one would get me what I need 

Is there a workaround listed in Cisco Bug?

Yes:

A broader crypto ACL can be configured to have only one line in the ACL.
Also, if feasible, a VTI can be used when both endpoints support route based IKEv2 IPSec tunnels.

In my case, both suggestions are the same ;-)
I need parts in 10.x, 192.168.x, as well as a 'non-private-but-only-used-internally-Class-B'. So 0/0 would match that.
Route based ipsec is what we will try next.

[mimugmail]

Good idea!