From: Tom Smyth Subject: Re: iked <> cisco, anyone seen issues with multiple childsa with one endpoint? To: tech Date: Fri, 19 Jul 2024 12:38:23 +0100 Hi Stuart I ran into this issue while using iked on OpenBSD and Fortinet, ... I think there was a limit of 4 Subnet IPSEC policies that I could have, any more and we would see SAs dropping off (never more than 4 of them ) the workaround I used was to use subnet summarisation (on both sides of the tunnel policies) I hope this helps, On Fri, 19 Jul 2024 at 11:05, Stuart Henderson wrote: > > (I posted this elsewhere, thought I'd widen the audience a bit, > if anyone saw it there there's no additional information in this mail, > just tweaked a bit) > > I'm trying to bring up a ikev2 tunnel to another organisation who are > using some Cisco device their side and having some issues when it's > configured with two child SAs - > > flow esp in from AA.BB.30.128/25 to CC.DD.EE.32/28 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require > flow esp in from AA.BB.31.128/25 to CC.DD.EE.32/28 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require > flow esp out from CC.DD.EE.32/28 to AA.BB.30.128/25 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require > flow esp out from CC.DD.EE.32/28 to AA.BB.31.128/25 peer YYY srcid IPV4/XXX dstid IPV4/YYY type require > esp tunnel from XXX to YYY spi 0x897e89d7 auth hmac-sha2-512 enc aes-256 > esp tunnel from YYY to XXX spi 0xee8ff7ad auth hmac-sha2-512 enc aes-256 > > ikev2 "ABC" active tunnel esp \ > from CC.DD.EE.32/28 to AA.BB.30.128/25 \ > from CC.DD.EE.32/28 to AA.BB.31.128/25 \ > local XXX peer YYY \ > ikesa auth hmac-sha2-512 enc aes-256 group ecp521 \ > childsa auth hmac-sha2-512 enc aes-256 group ecp521 \ > srcid XXX dstid YYY \ > ikelifetime 86400 \ > lifetime 28800 \ > psk ZZZ \ > tag "ABC" > > Both are showing up my side: > > I don't have direct access to the other side but they're telling me > that they only see one phase2 up: > > IPsec: > Tunnel ID : 87.2 > Local Addr : AA.BB.31.128/255.255.255.128/0/0 > Remote Addr : CC.DD.EE.32/255.255.255.240/0/0 > Encryption : AES256 Hashing : SHA512 > Encapsulation: Tunnel PFS Group : 21 > Rekey Int (T): 28800 Seconds Rekey Left(T): 25890 Seconds > Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607830 K-Bytes > Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes > Bytes Tx : 0 Bytes Rx : 4737960 > Pkts Tx : 0 Pkts Rx : 39483 > > and not surprisingly they reject packets sent to them for > AA.BB.30.128/25 ("The decapsulated inner packet doesn't match the > negotiated policy in the SA"). > > I do have tunnels up and working correctly with multiple child SAs, > but those are only iked<>iked. > > Has anyone seen anything like this? Any ideas gratefully received... > -- Kindest regards, Tom Smyth.