Index | Thread | Search

From:
Tom Smyth <tom.smyth@wirelessconnect.eu>
Subject:
Re: iked <> cisco, anyone seen issues with multiple childsa with one endpoint?
To:
tech <tech@openbsd.org>
Date:
Fri, 19 Jul 2024 12:38:23 +0100

Download raw body.

Thread 
Hi Stuart

I ran  into this issue while using iked  on OpenBSD and Fortinet, ...

I think there was a limit of 4 Subnet IPSEC policies that I could
have,   any more and we would see SAs  dropping off (never more than 4
of them )

the workaround I used was to use subnet summarisation  (on both sides
of the tunnel  policies)

I hope this helps,


On Fri, 19 Jul 2024 at 11:05, Stuart Henderson <stu@spacehopper.org> wrote:
>
> (I posted this elsewhere, thought I'd widen the audience a bit,
> if anyone saw it there there's no additional information in this mail,
> just tweaked a bit)
>
> I'm trying to bring up a ikev2 tunnel to another organisation who are
> using some Cisco device their side and having some issues when it's
> configured with two child SAs -
>
> flow esp in from AA.BB.30.128/25 to CC.DD.EE.32/28 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
> flow esp in from AA.BB.31.128/25 to CC.DD.EE.32/28 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
> flow esp out from CC.DD.EE.32/28 to AA.BB.30.128/25 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
> flow esp out from CC.DD.EE.32/28 to AA.BB.31.128/25 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
> esp tunnel from XXX to YYY spi 0x897e89d7 auth hmac-sha2-512 enc aes-256
> esp tunnel from YYY to XXX spi 0xee8ff7ad auth hmac-sha2-512 enc aes-256
>
> ikev2 "ABC" active tunnel esp \
>         from CC.DD.EE.32/28 to AA.BB.30.128/25 \
>         from CC.DD.EE.32/28 to AA.BB.31.128/25 \
>         local XXX peer YYY \
>         ikesa auth hmac-sha2-512 enc aes-256 group ecp521 \
>         childsa auth hmac-sha2-512 enc aes-256 group ecp521 \
>         srcid XXX dstid YYY \
>         ikelifetime 86400 \
>         lifetime 28800 \
>         psk ZZZ \
>         tag "ABC"
>
> Both are showing up my side:
>
> I don't have direct access to the other side but they're telling me
> that they only see one phase2 up:
>
> IPsec:
>   Tunnel ID    : 87.2
>   Local Addr   : AA.BB.31.128/255.255.255.128/0/0
>   Remote Addr  : CC.DD.EE.32/255.255.255.240/0/0
>   Encryption   : AES256                 Hashing      : SHA512
>   Encapsulation: Tunnel                 PFS Group    : 21
>   Rekey Int (T): 28800 Seconds          Rekey Left(T): 25890 Seconds
>   Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607830 K-Bytes
>   Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
>   Bytes Tx     : 0                      Bytes Rx     : 4737960
>   Pkts Tx      : 0                      Pkts Rx      : 39483
>
> and not surprisingly they reject packets sent to them for
> AA.BB.30.128/25 ("The decapsulated inner packet doesn't match the
> negotiated policy in the SA").
>
> I do have tunnels up and working correctly with multiple child SAs,
> but those are only iked<>iked.
>
> Has anyone seen anything like this? Any ideas gratefully received...
>


-- 
Kindest regards,
Tom Smyth.