cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
232
Views
10
Helpful
3
Replies

IKEv2 with multiple encryption domains

M411
Beginner
Beginner

Hi all,

I have a question about IKEv2 where traffic to multiple target networks should be encrypted. Here's a sample config to explain:

 

 

crypto ikev2 proposal Test01
 encryption aes-cbc-256
 integrity sha256
 group 20


crypto ikev2 policy MYPOL 
proposal Test01


crypto ikev2 keyring Test01
 peer Test01
  address 10.10.10.10
  pre-shared-key local 0 s3cr3t
  pre-shared-key remote 0 s3cr3t


crypto ikev2 profile Test01
 match identity remote address 10.10.10.10 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local Test01


crypto ipsec transform-set Test01 esp-aes 192 esp-sha256-hmac 
 mode tunnel



ip access-list extended Test01
 permit ip host 10.0.0.1 192.168.10.0 0.0.0.255
 permit ip host 10.0.0.1 192.168.20.0 0.0.0.255





crypto map MYMAP 300 ipsec-isakmp 
 description Connection to Test01
 set peer 10.10.10.10
 set transform-set Test01
 set pfs group20
 set ikev2-profile Test01
 match address Test01



ip route 192.168.10.0 255.255.255.0 $next_hop
ip route 192.168.20.0 255.255.255.0 $next_hop

 

 

This configuration works as far as SAs are established and I'm able to - for example - ping 192.168.10.1 from 10.0.0.1. The strange part is that I can not send traffic to 192.168.20.0/24 (the second network in the access list). 

sh ip access-lists Test01 reveals that only the first rule registers any hits.

In other words, the connection works, but only to the first network in the access-list, even when both target networks are configured exactly the same.

If I configure the same connection with IKEv1, I can connect to both target networks. I'm probably missing something in the IKEv2 configuration, but I can't figure out what it is.

The IOS version is 15.6(3)M4, if that makes any difference.

Any help with that would be very much appreciated...

 

Thanks,

Marc

 

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@M411 who are you peering with? If you are peering with AWS you are limited to one SA.

The configuration of this router looks ok, what about the configuration of the peer?

Another option is to use a Route Based VPN (VTI), which would have one SA.

View solution in original post

3 Replies 3

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@M411 who are you peering with? If you are peering with AWS you are limited to one SA.

The configuration of this router looks ok, what about the configuration of the peer?

Another option is to use a Route Based VPN (VTI), which would have one SA.

Hi @Rob Ingram,

thanks very much for your reply. It's not AWS, but interesting, I didn't know that.

Turns out I'm stupid and had a routing problem on the source host, it didn't have to do anything with the Cisco config at all

Cheers,

Marc

 

MHM Cisco World
Advisor
Advisor

share the show crypto IPsec sa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: