04-08-2012 04:26 AM
I am trying to create a VPN between an SRP547W and a Cisco IOS router, in this case a UC540.I am running firmware 1.2.4 (003) Jan 11 2012
Now I can do this with an SRP527W and many other routers successfully. Including other IOS routers 1801, 1941 etc.
The issue I have is on the SRP547W I cannot create more than one IPSec Policy through a single IKE policy. I require this to route multiple vlans to our remote site.
When I try to add an additional IPSec Policy I am give the error "IKE policy has been used by other IPSec policy"
This is possible to do on the SRP527W with latest firmware. I have tried rolling back to earlier firmware but instead I am given an error about overlap.
Latest release note for this firmware suggest this issue was already resolved.
Any help much appreciated.
04-10-2012 01:37 PM
Hello Matthew,
Sorry to hear you are having difficulty.
I was able to test this on firmware 1.02.01 and get the overlap error that you mention. I resolved it by choosing "IP address & subnet mask" in the local selection field. When I used "IP Address" I received the same error unless I changed the IP address to something (other that the one used in the first policy) under the local traffic selection then it allowed a succesful submission. The remote traffic selector or ip address doesn't not have any bearing on the error.
Are you using the same local IP address for each IPSec policy and if you are, try changing the local IP selector to IP+Subnet mask. Also as a reminder, the number of IPSec policies is based on bandwidth limitations and most often no more that 2 site-to-site tunnels can connect at a single time.
Please let me know if this helps.
Best regards,
Wesley S.
Cisco SBSC
04-10-2012 06:30 PM
Hi Wesley,
This is not an option. I require the remote VLANS to be routable from the entire local Vlan. For example
Remote Vlans:
10.0.0.0
10.0.2.0
10.0.3.0
Local Vlans:
10.20.1.0
10.20.2.0
Single IP adrdessing will only help with one device. There is clearly a bug in the firmware for the 547 as apposed to the 527.
04-11-2012 02:55 AM
Hi Matthew,
The issue of not being able to reuse IKE policies is known and will be addressed in our next maintenance release.
As a work around, have you tried creating a policy using a supernet of the required addresses?
i.e. local selection = 10.20.0.0 mask 255.255.252.0, remote 10.0.0.0 mask 255.255.252.0
This is not a perfect reflection of your requirement, but ought to be sufficient to get things working for you.
Regards,
Andy
04-12-2012 12:45 AM
Hi Andrew,
I would have to downgrade software again to test and unfortunatley have had to put this unit into production with just the Data vlan.
Is there a release date for the next maintenance release?
Cheers
Matthew
04-12-2012 04:16 AM
Hi Matthew,
We don't have a specific date at the moment. Probably some time in the summer.
Regards,
Andy
05-10-2012 05:01 AM
I'm also running into the same problems. Any update as to when the next patch will be released?
Adam
05-11-2012 04:28 AM
We're currently planning the next release for the end of this summer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide