On the problem of generating multiple phase 1 and multiple phase 2

2236629741 · ‎01-25-2022

I currently have two questions

1. Can multiple SPs be bound to the same ISAKMP-SA (phase 1)? If so, what do these SPs have in common? In general, is the binding relationship one-SP-to-one-ISAKMP or multiple-SPs-to-one-ISAKMP?

2. What are the conditions for negotiating multiple phase 2s using the same phase 1?

Rob Ingram · ‎01-25-2022

@2236629741 ISAKMP SAs are established between 2 peers, local and remote public IP addresses (usually). If you are using a Policy Based VPN (crypto map) you will have multiple SAs for each local and remote ident.

For example if your crypto map defines the following as interesting traffic to be encrypted:

access-list HQ-VPN permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list HQ-VPN permit ip 192.168.11.0 255.255.255.0 10.10.10.0 255.255.255.0

You would expect to have 2 pairs (inbound and outbound esp) of IPSec SAs, 1 SA pair between 192.168.10.0/24 and 10.10.10.0/24 and another pair of SAs between 192.168.11.0/24 and 10.10.10.0/24

If you are using a Route Based VPN you would only have 1 pair of IPSec SAs (0.0.0.0/0.0.0.0), it would be the routing protocol that routes traffic over the VPN.

2236629741 · ‎01-25-2022

Thanks a lot for your answer!
If I use Route Based VPN, 192.168.10.0 and 192.168.11.0 are two subnets inside Route1, 10.10.10.0 is a subnet inside Route2.
(1) If so, the two Routes only need to negotiate one ISAKMP SA and one IPSec SA (0.0.0.0/0.0.0.0) to ensure that the hosts in the two subnets in Route1 can communicate with the hosts in 10.10.10.0?
(2) In case (1), the two Routes seem to be used as host-host. Route1 relies on its own routing protocol (such as NAT) to forward packets to the two subnets, rather than IPSec-related processing. Is my understanding right?
If my understanding is wrong, please help me criticize and correct me, thanks a lot!

Rob Ingram · ‎01-26-2022

@2236629741 to be accurate, there will be a pair of IPSec SAs, inbound and outbound.

The routers will use a routing protocol such as BGP, EIGRP or OSPF to advertise the routes over the VPN tunnel, not NAT. Traffic will still be encrypted using IPSec, it's just a crypto ACL is not used to define the interesting traffic that should be encrypted. As the IPSec SA is 0.0.0.0/0.0.0.0, any route advertised over the VPN using the routing protocol will be encrypted. There will still only be the pair of IPSec SA regardless on how many routes.

MHM Cisco World · ‎01-25-2022

multi SA for same ISAKMP is OK with per-host commend.
what that meaning,
LAN-to-LAN there is one SA one ISAKMP
but with per-host
each host in LAN contact to each other host in other LAN through different SA BUT with only one ISAKMP.

2236629741 · ‎01-25-2022

Thanks a lot for your answer!

Let me try to repeat what you said, to see if I understand it right.

Suppose the network environment is like this:

Subnet M Subnet X

\ /

SG A -- internet -- SG B

/ \

Subnet N Subnet Y

In order to get through the communication between the subnet on the left and the subnet on the right:

1. A and B only need to establish one ISAKMP-SA

2. It may be necessary to generate the following four types of communication methods:

hosts in M -- hosts in X

hosts in M -- hosts in Y

hosts in N -- hosts in X

hosts in N -- hosts in Y

These communication methods can be all based on ISAKMP-SA, to generate four types of IPsec-SAs

3. The IPsec-SAs of the above types can be either address/mask-based SAs or fixed IP-address-based SAs, such as:

source address destination address

192.168.1.0/24 192.168.2.0/24

192.168.3.1/32 192.168.4.2/32

192.168.3.2/32 192.168.2.0/24

Please correct me if I misunderstood, thank you very much!