Project

General

Profile

Actions
Copy link

Bug #10985

closed

IPSec IKEv2 BINAT multiple Phase 2 issue

Added by Christian Wall over 4 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
10/16/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

We moved one ipsec vpn tunnel from IKEv1 to IKEv2. We have two P2 Entries and both of them are using BINAT with the same single Address:
First Entry
Left Network: 172.16.10.0/24
BINAT: 10.10.10.10/32
Right Network: 172.16.250.0/24

Second Entry:
Left Network: 10.0.9.0/24
BINAT: 10.10.10.10/32
Right Network: 172.16.250.0/24

The Connections get's established, but we cannot access the remote side when we are coming from 10.0.9.0/24.
The SPDs looks like this:
172.16.250.0/24 - 10.10.10.10 - Inbound - ESP xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy
172.16.10.0/24 - 172.16.250.0/24 - Outbound - ESP yyy.yyy.yyy.yyy -> xxx.xxx.xxx.xxx

So the SPD for 10.0.9.0/24 is not generated.
As soon as we activate the option "Split connections" at Phase 1 it starts to work and the missing SPD for 10.0.9.0/24 get's generated.

Actions
Copy link

Also available in: Atom PDF