cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
878
Views
5
Helpful
5
Replies

Ikev2 Policy preference

ryancisco01
Level 1
Level 1

Hi we have a situation where the remote party device has a bug and can't handle a large SA proposal, even though our default proposal contains matching parameters it also contains multiple other encryp/integrity/pfs methods. I was able to get the vpn up by creating a dedicated ikev2 policy with just the exact settings needed, however that stopped our other dozen vpns from working due to them also selecting this new dedicated policy which doesnt match their requirements.

The fvrf is the same for all, and local interface is the same. I cant see any way to bind this specific policy to this tunnel.

I have tried putting both the default proposal and this specific proposal under the same policy and tried alternating the order but I can only either get all my existing ikev2 tunnels up or this problematic tunnel up, never all at the same time.

Any suggestions would be appreciated, again its not the proposal not matching, its the number of parameters sent that stops it from working - when the remote side initiates to us it works perfect, when local side initiates we get errors on the reply "Received an IKE msg id outside supported window" or " ikev2 Response is outside of window received"

 

 

 

 

 

 

5 Replies 5

tvotna
Spotlight
Spotlight

As a workaround you can try "responder-only" in the IPSec profile, but local side won't be able to initiate tunnels in this case.

 

ryancisco01
Level 1
Level 1

thanks yeah we did try that, unfortunately it took very long time for it to come up and would drop out again as the traffic is always initiated from our local side.

there is two proposal, 
can I you merge it in one proposal ? you can do that by 
encryption ase-192 ase-256 <<- use two encryption method under same proposal. 

I never try it but why not it can work. 

Not that simple unfortunately, we have a dozen working vpns now plus this problematic vpn, the dozen other vpns use a variety of sets, so the default proposal that has all the required options of the dozen other vpns is too large for the problematic vpn to handle. we can have multiple proposals under the same policy but again it will only pick based one om order/priority so if it picks the proposal with just the problematic vpn parameters, that vpn will come up and work and my other dozen wont work and vice versa.

 

We really need a way to define a "match" for the remote host not the local host.

As you correctly mentioned you can only match by local IP and/or FVRF. E.g. loopback interface IP can be used.