Bug #10985
closed
IPSec IKEv2 BINAT multiple Phase 2 issue
0%
Description
We moved one ipsec vpn tunnel from IKEv1 to IKEv2. We have two P2 Entries and both of them are using BINAT with the same single Address:
First Entry
Left Network: 172.16.10.0/24
BINAT: 10.10.10.10/32
Right Network: 172.16.250.0/24
Second Entry:
Left Network: 10.0.9.0/24
BINAT: 10.10.10.10/32
Right Network: 172.16.250.0/24
The Connections get's established, but we cannot access the remote side when we are coming from 10.0.9.0/24.
The SPDs looks like this:
172.16.250.0/24 - 10.10.10.10 - Inbound - ESP xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy
172.16.10.0/24 - 172.16.250.0/24 - Outbound - ESP yyy.yyy.yyy.yyy -> xxx.xxx.xxx.xxx
So the SPD for 10.0.9.0/24 is not generated.
As soon as we activate the option "Split connections" at Phase 1 it starts to work and the missing SPD for 10.0.9.0/24 get's generated.
Updated by Viktor Gurov over 4 years ago
- Category set to IPsec
- Status changed from New to Rejected
“split connections” option is used for interoperability with third party devices that do not support multiple traffic selectors on one child SA (Cisco ASA, others).
see #4704
Updated by Christian Wall over 4 years ago
Yes I know, but the issue is not the other side, the problem is the pfsense side.
Updated by Viktor Gurov over 4 years ago
Christian Wall wrote:
Yes I know, but the issue is not the other side, the problem is the pfsense side.
Please use https://forum.netgate.com/ for further discussion