Cannot add multiple Interfaces to IPSec VPN encryption domain. #2120
Comments
|
This is not possible with the software behind (strongswan). You can only have one network as source and destination for every SA, but you can as many SA's as you want. There is no real encryption domain like wiht other vendors (Cisco ASA), but you wont get into any trouble creating multiple SA's |
|
I tried creating multiple phase 2 entries for multiple interface networks but it didn't work. |
|
Can you give me an example? Perhaps I'm too stupid to get it .. I can set interface subnets or edit networks manually in a P2 so I dont see any problem .. |
|
yes, even I can set interface subnets or add network if I add new phase 2 rule but when a VPN is established I am not seeing that network in the SPD (Security Policy Database). |
|
Perhaps because the other side is misconfigured and that's the reason the VPN isn't fully established? |
|
what type of device is on the other end? |
|
also, you haven't mentioned which ike version.... |
|
Sorry, this is for Ikev1 roadwarrior remote access connection. I am connecting from my Android mobile. |
|
I too am having the same issue. No trouble getting my first phase 2 to work, but the second will not work at all. The goal is to have my remote site route to my primary site which has multiple networks (and routes to other remote networks) The issue is seen with both ike v1 and v2. I am on the latest release. |
|
Do you have trouble adding it or doesnt it just come up? |
|
With IKEv2, you can set "Tunnel Isolation" in your phase 1. But if the issue is also on IKEv1, that would indicate it's another issue that is almost impossible to debug without logs from both sides. I have a FortiGate device that would always take none but the last phase 2 and the "Tunnel Isolation" mode is what made this work. |
|
Ill have to try Tunnel Isolation. The issue is that my first phase 2 will work, with the subnet of my choice (it happens to be 10.1.10.0/24, but 0.0.0.0/0 does the trick as well). The second phase 2 never works. the otherside of the tunnel has a route to 10.70.1.0/24, but I cant hit those IPs from my remote site. @mimugmail to answer your question, I can add the second phase 2 just fine. It just does not come up / route traffic. |
|
This is likely impossible to fix when not knowing logs of both sides and also config of the other side. |
|
Sure, ill get them when I can. Should be soon. |
There is no option to add multiple networks to the IPSec VPN encryption domain. The only option is to add interface network in phase 2 configuration, but even if we add multiple phase 2 paramaeters to include multiple interface networks, it wont show up under the active tunnel and cannot access those networks over the tunnel (only the first phase 2 config is accepted). Please provide a method to use subnets instead of interface network in VPN encryption domain.
Thank you,
Regards,
Bobby Thomas
The text was updated successfully, but these errors were encountered: