Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
10
Helpful
3
Replies

IKEv2 with multiple encryption domains

Go to solution
M411
Level 1
Level 1

‎09-30-2022 01:31 AM - edited ‎09-30-2022 02:45 AM

Hi all,

I have a question about IKEv2 where traffic to multiple target networks should be encrypted. Here's a sample config to explain:

 

 

crypto ikev2 proposal Test01
 encryption aes-cbc-256
 integrity sha256
 group 20


crypto ikev2 policy MYPOL 
proposal Test01


crypto ikev2 keyring Test01
 peer Test01
  address 10.10.10.10
  pre-shared-key local 0 s3cr3t
  pre-shared-key remote 0 s3cr3t


crypto ikev2 profile Test01
 match identity remote address 10.10.10.10 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring local Test01


crypto ipsec transform-set Test01 esp-aes 192 esp-sha256-hmac 
 mode tunnel



ip access-list extended Test01
 permit ip host 10.0.0.1 192.168.10.0 0.0.0.255
 permit ip host 10.0.0.1 192.168.20.0 0.0.0.255





crypto map MYMAP 300 ipsec-isakmp 
 description Connection to Test01
 set peer 10.10.10.10
 set transform-set Test01
 set pfs group20
 set ikev2-profile Test01
 match address Test01



ip route 192.168.10.0 255.255.255.0 $next_hop
ip route 192.168.20.0 255.255.255.0 $next_hop

 

 

This configuration works as far as SAs are established and I'm able to - for example - ping 192.168.10.1 from 10.0.0.1. The strange part is that I can not send traffic to 192.168.20.0/24 (the second network in the access list). 

sh ip access-lists Test01 reveals that only the first rule registers any hits.

In other words, the connection works, but only to the first network in the access-list, even when both target networks are configured exactly the same.

If I configure the same connection with IKEv1, I can connect to both target networks. I'm probably missing something in the IKEv2 configuration, but I can't figure out what it is.

The IOS version is 15.6(3)M4, if that makes any difference.

Any help with that would be very much appreciated...

 

Thanks,

Marc

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2022 03:09 AM

@M411 who are you peering with? If you are peering with AWS you are limited to one SA.

The configuration of this router looks ok, what about the configuration of the peer?

Another option is to use a Route Based VPN (VTI), which would have one SA.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎09-30-2022 03:09 AM

@M411 who are you peering with? If you are peering with AWS you are limited to one SA.

The configuration of this router looks ok, what about the configuration of the peer?

Another option is to use a Route Based VPN (VTI), which would have one SA.

Go to solution
M411
Level 1
Level 1
In response to Rob Ingram

‎09-30-2022 03:20 AM

Hi @Rob Ingram,

thanks very much for your reply. It's not AWS, but interesting, I didn't know that.

Turns out I'm stupid and had a routing problem on the source host, it didn't have to do anything with the Cisco config at all

Cheers,

Marc

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-30-2022 03:17 AM

share the show crypto IPsec sa

Customers Also Viewed These Support Documents