From: Stuart Henderson <stu@spacehopper.org>
Subject: iked <> cisco, anyone seen issues with multiple childsa with one endpoint?
To: tech <tech@openbsd.org>
Date: Fri, 19 Jul 2024 10:59:12 +0100

(I posted this elsewhere, thought I'd widen the audience a bit,
if anyone saw it there there's no additional information in this mail,
just tweaked a bit)

I'm trying to bring up a ikev2 tunnel to another organisation who are
using some Cisco device their side and having some issues when it's
configured with two child SAs -

flow esp in from AA.BB.30.128/25 to CC.DD.EE.32/28 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
flow esp in from AA.BB.31.128/25 to CC.DD.EE.32/28 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
flow esp out from CC.DD.EE.32/28 to AA.BB.30.128/25 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
flow esp out from CC.DD.EE.32/28 to AA.BB.31.128/25 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require
esp tunnel from XXX to YYY spi 0x897e89d7 auth hmac-sha2-512 enc aes-256
esp tunnel from YYY to XXX spi 0xee8ff7ad auth hmac-sha2-512 enc aes-256

ikev2 "ABC" active tunnel esp \
        from CC.DD.EE.32/28 to AA.BB.30.128/25 \
        from CC.DD.EE.32/28 to AA.BB.31.128/25 \
        local XXX peer YYY \
        ikesa auth hmac-sha2-512 enc aes-256 group ecp521 \
        childsa auth hmac-sha2-512 enc aes-256 group ecp521 \
        srcid XXX dstid YYY \
        ikelifetime 86400 \
        lifetime 28800 \
        psk ZZZ \
        tag "ABC"

Both are showing up my side:

I don't have direct access to the other side but they're telling me
that they only see one phase2 up:

IPsec:
  Tunnel ID    : 87.2
  Local Addr   : AA.BB.31.128/255.255.255.128/0/0
  Remote Addr  : CC.DD.EE.32/255.255.255.240/0/0
  Encryption   : AES256                 Hashing      : SHA512
  Encapsulation: Tunnel                 PFS Group    : 21
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 25890 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607830 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 0                      Bytes Rx     : 4737960
  Pkts Tx      : 0                      Pkts Rx      : 39483

and not surprisingly they reject packets sent to them for
AA.BB.30.128/25 ("The decapsulated inner packet doesn't match the
negotiated policy in the SA").

I do have tunnels up and working correctly with multiple child SAs,
but those are only iked<>iked.

Has anyone seen anything like this? Any ideas gratefully received...