sVTI , multiple traffic selector

1000mercis · ‎10-01-2013

Hi,

Anyone know if it's possible to have multiple traffic selector on a sVTI ipsec site to site interface when the router(cisco 2901 15.2) is the SA initiator?

To explain a little more, I have a tunnel (ikeV2) between 174.52.148.11 and 162.23.19.133 (not my reals IPs). I want network from 172.17.0.0/16 and 192.168.0.0/24 to go through it to 192.168.17.0/24

My problem is I only manage to have one child SA, (192.168.0.0/24 === 192.168.17.0/24) instead of two ( 172.17.0.0/16 192.168.0.0/24 === 192.168.17.0/24)

Is it a VTI limitation or a bad configuration on my side??

I know it is possible to have multiple Child SA working on a single tunnel when router is not the Initiator of SA but the responder. Unfortunatly in this case, I really need to be the initiator because I'm the spoke, and hub peers are only responders (and I don't control them).

Any Help?

Thannnkks

Here a very little of my configuration:

interface Tunnel1

ip unnumbered GigabitEthernet0/0

tunnel source 174.52.148.11

tunnel mode ipsec ipv4

tunnel destination 162.23.19.133

tunnel protection ipsec profile ipsec_profile_v2

ip route 192.168.0.0 255.255.255.0 172.19.0.1

ip route 172.17.0.0 255.255.0.0 172.19.0.1

ip route 192.168.17.0 255.255.255.0 Tunnel1

ip route 10.0.0.0 255.255.255.0 Tunnel2

Here, we can see there is no Child sa for 172.17.0.0/16 network:

Tunnel-id Local Remote fvrf/ivrf Status

2 174.52.148.11/500 162.23.19.133/500 none/none READY

Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/28294 sec

CE id: 1509, Session-id: 94

Status Description: Negotiation done

Local spi: 0EEE5DE1703ADD9A Remote spi: 9F6C437C48B5BF0E

Local id: 174.52.148.11

Remote id: 162.23.19.133

DPD configured for 300 seconds, retry 30

Fragmentation not configured.

Extended Authentication not configured.

NAT-T is not detected

Cisco Trust Security SGT is disabled

Initiator of SA : Yes

Child sa: local selector 192.168.0.0/0 - 192.168.0.255/65535

remote selector 192.168.17.0/0 - 192.168.17.255/65535

ESP spi in/out: 0xE6866A92/0xC5F8491E

AH spi in/out: 0x0/0x0

CPI in/out: 0x0/0x0

Encr: AES-CBC, keysize: 256, esp_hmac: SHA96

ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Here An exemple of multiple Child SA working on a single Tunnel when i'm not the initiator (same router than previous exemple, but different tunnel):

Tunnel-id Local Remote fvrf/ivrf Status

1 174.52.148.11/4500 177.31.193.222/4500 none/none READY

Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK

Local id: 174.52.148.11

Remote id: 177.31.193.222

DPD configured for 300 seconds, retry 30

Cisco Trust Security SGT is disabled

Initiator of SA : No

Child sa: local selector 192.168.0.0/0 - 192.168.0.255/65535

remote selector 10.0.0.0/0 - 10.0.255.255/65535

ESP spi in/out: 0x94D543DF/0xCD2F0076

AH spi in/out: 0x0/0x0

CPI in/out: 0x0/0x0

Encr: AES-CBC, keysize: 256, esp_hmac: SHA96

ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Child sa: local selector 172.17.0.0/0 - 172.17.255.255/65535

remote selector 10.0.0.0/0 - 10.0.255.255/65535

ESP spi in/out: 0xB7362A6/0xCD93D913

AH spi in/out: 0x0/0x0

CPI in/out: 0x0/0x0

Encr: AES-CBC, keysize: 256, esp_hmac: SHA96

ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Marcin Latosiewicz · ‎10-01-2013

I spoke with few wise heads (thanks Olivier P.)

What you're looking for is not supported but should be out with IOS XE 3.12 the only thing SVTI should allow you to negotaite is one "any any" TS.

That it is "working" the way you're describing is puzzling, but maybe some facilities to accomodate upcoming changes were introduced into the code.

Mind sharing "show crypto ipsec sa" ?

1000mercis · ‎10-01-2013

Hi Marcin,

Thanks for you answer! I guess I'll have to deal with crypto maps again instead VTI

Here the tunnel with two Child SA (responder, but 100% static VTI, no dynamic/templates).

#show crypto ipsec sa peer 177.31.193.222 (full output)

interface: Tunnel3

Crypto map tag: Tunnel3-head-0, local addr 174.52.148.11

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)

current_peer 177.31.193.222

port 4500

PERMIT, flags={}

#pkts encaps: 3437, #pkts encrypt: 3437, #pkts digest: 3437

#pkts decaps: 3275, #pkts decrypt: 3275, #pkts verify: 3275

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.:174.52.148.11

, remote crypto endpt.:177.31.193.222

plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0xC50EDA27(3306084903)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x67479324(1732743972)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3949, flow_id: Onboard VPN:1949, sibling_flags 80000040, crypto map: Tunnel3-head-0

sa timing: remaining key lifetime (k/sec): (4256218/1911)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC50EDA27(3306084903)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3950, flow_id: Onboard VPN:1950, sibling_flags 80000040, crypto map: Tunnel3-head-0

sa timing: remaining key lifetime (k/sec): (4256278/1911)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)

current_peer 177.31.193.222

port 4500

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.:174.52.148.11

, remote crypto endpt.: 177.31.193.222

plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0xC29B00A5(3264938149)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xF0C4E925(4039436581)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3948, flow_id: Onboard VPN:1948, sibling_flags 80000040, crypto map: Tunnel3-head-0

sa timing: remaining key lifetime (k/sec): (4364292/1891)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC29B00A5(3264938149)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3947, flow_id: Onboard VPN:1947, sibling_flags 80000040, crypto map: Tunnel3-head-0

sa timing: remaining key lifetime (k/sec): (4364292/1891)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 177.31.193.222

port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 174.52.148.11

, remote crypto endpt.: 177.31.193.222

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

Marcin Latosiewicz · ‎10-01-2013

Julien,

What you listed above should not work reliably, you have multiple SPDs, including overlap in your SADA.

responder side could could with multi-SA DVTI ... have not seen it working with IKEv2 but principle remains the same.

M.