I have a question about IKEv2 where traffic to multiple target networks should be encrypted. Here's a sample config to explain:
crypto ikev2 proposal Test01
crypto ikev2 policy MYPOL
crypto ikev2 keyring Test01
pre-shared-key local 0 s3cr3t
pre-shared-key remote 0 s3cr3t
crypto ikev2 profile Test01
match identity remote address 10.10.10.10 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local Test01
crypto ipsec transform-set Test01 esp-aes 192 esp-sha256-hmac
ip access-list extended Test01
permit ip host 10.0.0.1 192.168.10.0 0.0.0.255
permit ip host 10.0.0.1 192.168.20.0 0.0.0.255
crypto map MYMAP 300 ipsec-isakmp
description Connection to Test01
set peer 10.10.10.10
set transform-set Test01
set pfs group20
set ikev2-profile Test01
match address Test01
ip route 192.168.10.0 255.255.255.0 $next_hop
ip route 192.168.20.0 255.255.255.0 $next_hop
This configuration works as far as SAs are established and I'm able to - for example - ping 192.168.10.1 from 10.0.0.1. The strange part is that I can not send traffic to 192.168.20.0/24 (the second network in the access list).
sh ip access-lists Test01 reveals that only the first rule registers any hits.
In other words, the connection works, but only to the first network in the access-list, even when both target networks are configured exactly the same.
If I configure the same connection with IKEv1, I can connect to both target networks. I'm probably missing something in the IKEv2 configuration, but I can't figure out what it is.
The IOS version is 15.6(3)M4, if that makes any difference.
Any help with that would be very much appreciated...