Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
4
Replies

VPN Cisco IOS-XE Meraki MX (DVTI ikev2 Multi-SA)

mpayneSC
Level 1
Level 1

‎09-10-2024 02:14 PM

I can get a Meraki MX to successfully Connect to Cisco IOS-XE (C8200-1N-4T), However, when I advertise multiple subnets on the Meraki side, the Cisco side will only add one subnet via one SA (and a random one at that - but possibly the highest numbered prefix).

Here's a sanitized Config;

aaa authorization network MX-VPN local
!

crypto ikev2 authorization policy MX-Policy
 route set interface
 route set access-list MX-ACL
!

crypto ikev2 proposal MX-encryption-proposal
 encryption aes-cbc-256
integrity sha256
group 14
!

crypto ikev2 policy NGE-encryption-policy
 proposal MX-encryption-proposal
!

crypto ikev2 keyring MX-encryption-keyring
peer spoke
  address 0.0.0.0 0.0.0.0
  pre-shared-key local 6 xxxxxxxxxxxxxxx
  pre-shared-key remote 6 xxxxxxxxxxxxxxx
!

crypto ikev2 profile MX-encryption-profile
match identity remote address x.x.x.x 255.255.255.255
 match identity remote email mx@domain.com
match identity remote key-id mx@domain.com
authentication remote pre-share
authentication local pre-share
keyring local MX-encryption-keyring
aaa authorization group psk list MX-VPN MX-Policy
virtual-template 1
!

ip access-list standard MX-ACL
 permit X.X.X.0 0.0.0.255
!

 

 

I've confirmed that the Meraki Unit is sending multiple traffic Selectors:

syslog debug 2951845 TSi Next payload: TSr, reserved: 0x0, length: 72
syslog debug 2951846 Num of TSs: 4, reserved 0x0, reserved 0x0
syslog debug 2951847 TS type: TS_IPV4_ADDR_RANGE, proto id: 17, length: 16
syslog debug 2951848 start port: 5557, end port: 5557
syslog debug 2951849 start addr: 1.X.X.X, end addr: 1.X.X.255
syslog debug 2951850 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
syslog debug 2951851 start port: 0, end port: 65535
syslog debug 2951852 start addr: 2.X.X.X, end addr: 2.X.X.255
syslog debug 2951853 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
syslog debug 2951854 start port: 0, end port: 65535
syslog debug 2951855 start addr: 3.X.X.X, end addr: 3.X.X.255
syslog debug 2951856 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
syslog debug 2951857 start port: 0, end port: 65535
syslog debug 2951858 start addr: 4.X.X.X, end addr: 4.X.X.255

Any Idea's

1 person had this problem
Labels:
0 Helpful
4 Replies 4

ccieexpert
VIP
VIP

‎09-10-2024 04:52 PM

you did not provide your virtual template config..

I havent tested, but multi-sa DVTI should generally work

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html

add these commands

 set security-policy limit <increase to 3 or more> , set reverse-route.

0 Helpful

mpayneSC
Level 1
Level 1
In response to ccieexpert

‎09-11-2024 05:43 AM

 
Sorry, Thanks for your reply; for the here's the Virtual Template:
 
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 zone-member security ZONE
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile MX-ipsec-profile
 ip virtual-reassembly
!
 
I'll try those additional commands post back
0 Helpful

MHM Cisco World
VIP
VIP

‎09-10-2024 09:22 PM

It is bugs

There are two bug 

1-bug of mismatch group this make cisco accept only one SA, match group in both side

2-bug of ikev2 which make cisco allow only one SA, solutions use ikev1 instead

MHM

0 Helpful

savganga
Cisco Employee
Cisco Employee

‎01-05-2025 12:54 PM

Hi,

were you able to resolve this? I'm seeing the same behavior ( mine uses crypto-maps). Are there any existing bugs?

Thanks

 

0 Helpful
Customers Also Viewed These Support Documents