09-30-2022 01:31 AM - edited 09-30-2022 02:45 AM
Hi all,
I have a question about IKEv2 where traffic to multiple target networks should be encrypted. Here's a sample config to explain:
crypto ikev2 proposal Test01
encryption aes-cbc-256
integrity sha256
group 20
crypto ikev2 policy MYPOL
proposal Test01
crypto ikev2 keyring Test01
peer Test01
address 10.10.10.10
pre-shared-key local 0 s3cr3t
pre-shared-key remote 0 s3cr3t
crypto ikev2 profile Test01
match identity remote address 10.10.10.10 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local Test01
crypto ipsec transform-set Test01 esp-aes 192 esp-sha256-hmac
mode tunnel
ip access-list extended Test01
permit ip host 10.0.0.1 192.168.10.0 0.0.0.255
permit ip host 10.0.0.1 192.168.20.0 0.0.0.255
crypto map MYMAP 300 ipsec-isakmp
description Connection to Test01
set peer 10.10.10.10
set transform-set Test01
set pfs group20
set ikev2-profile Test01
match address Test01
ip route 192.168.10.0 255.255.255.0 $next_hop
ip route 192.168.20.0 255.255.255.0 $next_hop
This configuration works as far as SAs are established and I'm able to - for example - ping 192.168.10.1 from 10.0.0.1. The strange part is that I can not send traffic to 192.168.20.0/24 (the second network in the access list).
sh ip access-lists Test01 reveals that only the first rule registers any hits.
In other words, the connection works, but only to the first network in the access-list, even when both target networks are configured exactly the same.
If I configure the same connection with IKEv1, I can connect to both target networks. I'm probably missing something in the IKEv2 configuration, but I can't figure out what it is.
The IOS version is 15.6(3)M4, if that makes any difference.
Any help with that would be very much appreciated...
Thanks,
Marc
Solved! Go to Solution.
09-30-2022 03:09 AM
@M411 who are you peering with? If you are peering with AWS you are limited to one SA.
The configuration of this router looks ok, what about the configuration of the peer?
Another option is to use a Route Based VPN (VTI), which would have one SA.
09-30-2022 03:09 AM
@M411 who are you peering with? If you are peering with AWS you are limited to one SA.
The configuration of this router looks ok, what about the configuration of the peer?
Another option is to use a Route Based VPN (VTI), which would have one SA.
09-30-2022 03:20 AM
Hi @Rob Ingram,
thanks very much for your reply. It's not AWS, but interesting, I didn't know that.
Turns out I'm stupid and had a routing problem on the source host, it didn't have to do anything with the Cisco config at all
Cheers,
Marc
09-30-2022 03:17 AM
share the show crypto IPsec sa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide