einen 1781VA mit 10.00.0170RU2 habe ich als IKEv2/IKEcfg-client konfiguriert, es werden Adressen in 172.31.255/24 zugewiesen und als BGP-Endpunkte genutzt.
Nun kommen zuweilen Routen über BGP dazu, die in den Bereich von VPN-Policies dieser Verbindung fallen.
Die Policy-DB sieht so aus:
Code: Alles auswählen
VPN SPD and IKE configuration:
# of rules = 2
Rule #1 ikev2 0.0.0.0/0.0.0.0:0 <-> 172.31.255.2/255.255.255.255:0 any
Name: VPN-DDD
Unique Id: ipsec-1-VPN-DDD-pr0-l0-r0
Flags: IKE_SA_INIT ikecfg
Local Network: IPV4_ADDR_SUBNET(any:0, 0.0.0.0/0.0.0.0)
Local Gateway: IPV4_ADDR(any:0, 87.179.111.111)
Remote Gateway: IPV4_ADDR(any:0, 217.61.111.111)
Remote Network: IPV4_ADDR_SUBNET(any:0, 172.31.255.2/255.255.255.255)
Rule #2 ikev2 10.1.0.0/255.255.0.0:0 <-> 10.0.0.0/255.0.0.0:0 any
Name: VPN-DDD
Unique Id: ipsec-0-VPN-DDD-pr0-l0-r0
Flags: IKE_SA_INIT ikecfg
Local Network: IPV4_ADDR_SUBNET(any:0, 10.1.0.0/255.255.0.0)
Local Gateway: IPV4_ADDR(any:0, 87.179.111.111)
Remote Gateway: IPV4_ADDR(any:0, 217.61.111.111)
Remote Network: IPV4_ADDR_SUBNET(any:0, 10.0.0.0/255.0.0.0)
Code: Alles auswählen
SA-REPORT
SA: Peer VPN-DDD, IKE_SA ikev2
Flags 0x00100041 Ready
VLAN-ID 0, HW switch port 0, Routing-tag 0, Com-channel 1
Dead Peer Detection 30s
authentication method: RSA_SIG (1)
encryption AES_CBC_256 prf SHA-256 hash SHA-256
initiator spi: 0x00674796ceb61bef
responder spi: 0x006252e4d54f5db1
life secs 108000 rekeying_in 84168 secs life_cnt_sec 105768 secs kb 0 byte_cnt 0
initiator id: CN=gwwww,OU=devices,O=xxxx,C=de, responder id: CN=gwddd,OU=devices,O=xxxx,C=de,
src: 87.179.111.111 dst: 217.61.111.111
Config Client:
Assigned IPv4 Address: 172.31.255.111
Assigned IPv4 DNS Servers: 10.2.20.1
SA: Peer VPN-DDD, Rule IPSEC-0-VPN-DDD-PR0-L0-R0 CHILD_SA ikev2
Flags 0x00001001 Ready
VLAN-ID 0, HW switch port 0, Routing-tag 0, Com-channel 1
life secs 28800 rekeying_in 21741 secs life_cnt_sec 27501 secs kb 2000000 byte_cnt 1420
initiator id: CN=gwwww,OU=devices,O=xxxx,C=de, responder id: CN=gwddd,OU=devices,O=xxxx,C=de,
src: 87.179.111.111 dst: 217.61.111.111
10.1.0.0/16 <-> 10.2.0.0/16
proposal 1 protocol IPSEC_ESP algorithm AES_CBC_256 hash HMAC-SHA-256
spi[outgoing] 0x000e4de3
spi[incoming] 0x00933bc8
Code: Alles auswählen
ping -a 10.1.20.1 10.70.30.1
...
[VPN-Packet] 2017/07/10 17:32:19,900
no sa available: give up [2], should be retransmitted: 10.1.20.1->10.70.30.1 84 ICMP ECHOREQUEST
...
[VPN-Status] 2017/07/10 17:32:19,900
IKE info: exchange_v2_establish: a READY Phase-2 SA for rule ipsec-0-VPN-DDD-pr0-l0-r0 is already established. No need to reestablish it (sa 0471b4a0, flags 00001001)
...
[VPN-Packet] 2017/07/10 17:32:20,896
no sa available: give up [2], should be retransmitted: 10.1.20.1->10.70.30.1 84 ICMP ECHOREQUEST
Ist das ein Fehler? Jedenfalls schränkt es die Nutzbarkeit meines IKEv2&BGP-Setups ein.
Interessant ist auch, daß Verkehr von der anderen Seite her die CHILD_SA aufbaut:
Code: Alles auswählen
[VPN-Packet] 2017/07/10 17:48:49,825
no sa available: give up [2], should be retransmitted: 10.70.30.1->10.1.20.1 84 ICMP ECHOREQUEST
...
[VPN-Status] 2017/07/10 17:48:50,317
Peer XXXX-INTERSITE: Constructing an CREATE_CHILD_SA-REQUEST for send
Starting a CHILD_SA negotiation for IPSEC-0-XXXX-INTERSITE-PR0-L0-R0
CHILD_SA:
Proposal 1 Protocol IPSEC_ESP incoming SPI 0x0013A1F4
ENCR : AES_CBC-256
INTEG: SHA-256 SHA1
DH : 14
+TSi 0: ( 0, 0-65535, 10.70.30.1-10.70.30.1 )
+TSi 1: ( 0, 0-65535, 10.64.0.0-10.79.255.255 )
+TSr 0: ( 0, 0-65535, 10.1.20.1-10.1.20.1 )
+TSr 1: ( 0, 0-65535, 10.0.0.0-10.255.255.255 )
+KE-DH-Group 14 (2048 bits)
Sending an CREATE_CHILD_SA-REQUEST of 512 bytes (encrypted)
...
CHILD_SA [initiator] done with 2 SAS for peer XXXX-INTERSITE rule IPSEC-0-XXXX-INTERSITE-PR0-L0-R0
217.61.111.111:500<--87.179.111.111:500, VLAN-ID 0, HW switch port 0, Routing tag 0, Com-channel 1
rule:' ipsec 10.64.0.0/12 <-> 10.1.0.0/16
SA ESP [0x00514D87] alg AES_CBC keylength 256 +hmac HMAC-SHA-256 outgoing
SA ESP [0x0013A1F4] alg AES_CBC keylength 256 +hmac HMAC-SHA-256 incoming
life time soft 07/11/2017 00:12:50 (in 23040 sec) / 1600000 kb
life time hard 07/11/2017 01:48:50 (in 28800 sec) / 2000000 kb
tunnel between src: 217.61.111.111 dst: 87.179.111.111
Der Unterschied: Diese Seite ist IKE-config-Server (ein 1781EW mit 9.24.0212RU4).
Viele Grüße,
Andreas