02-13-2023 01:09 AM
Hi we have a situation where the remote party device has a bug and can't handle a large SA proposal, even though our default proposal contains matching parameters it also contains multiple other encryp/integrity/pfs methods. I was able to get the vpn up by creating a dedicated ikev2 policy with just the exact settings needed, however that stopped our other dozen vpns from working due to them also selecting this new dedicated policy which doesnt match their requirements.
The fvrf is the same for all, and local interface is the same. I cant see any way to bind this specific policy to this tunnel.
I have tried putting both the default proposal and this specific proposal under the same policy and tried alternating the order but I can only either get all my existing ikev2 tunnels up or this problematic tunnel up, never all at the same time.
Any suggestions would be appreciated, again its not the proposal not matching, its the number of parameters sent that stops it from working - when the remote side initiates to us it works perfect, when local side initiates we get errors on the reply "Received an IKE msg id outside supported window" or " ikev2 Response is outside of window received"
02-13-2023 02:37 AM
As a workaround you can try "responder-only" in the IPSec profile, but local side won't be able to initiate tunnels in this case.
02-13-2023 01:34 PM
thanks yeah we did try that, unfortunately it took very long time for it to come up and would drop out again as the traffic is always initiated from our local side.
02-13-2023 03:03 PM
there is two proposal,
can I you merge it in one proposal ? you can do that by
encryption ase-192 ase-256 <<- use two encryption method under same proposal.
I never try it but why not it can work.
02-14-2023 01:04 AM
Not that simple unfortunately, we have a dozen working vpns now plus this problematic vpn, the dozen other vpns use a variety of sets, so the default proposal that has all the required options of the dozen other vpns is too large for the problematic vpn to handle. we can have multiple proposals under the same policy but again it will only pick based one om order/priority so if it picks the proposal with just the problematic vpn parameters, that vpn will come up and work and my other dozen wont work and vice versa.
We really need a way to define a "match" for the remote host not the local host.
02-14-2023 02:09 AM
As you correctly mentioned you can only match by local IP and/or FVRF. E.g. loopback interface IP can be used.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide