Sunday, May 03, 2020

IKE Multi site-to-site fails

Good morning,

I am trying to connect to remote locations to our main responder. The
issue I am facing is that I can connect each site individually without
any issue, however, I cannot connect both sides at the same time. The
sides are connect to the Internet via dial-up connections with dynamic
IPs from the same provider. Hence, creating a specific peer rule for
each site doesn't work. Is there a way to have both sites connect to the
responder? With the confs as below, only site B can connect, while site
A fails since it uses the "main_to_siteB" conf on the responder. If I
add quick to the "main_to_siteA" conf on the responder, site A works but
B fails as it uses the site A config. Responder and both initiators run
on 6.6 stable.

Any help or suggestions are greatly appreciated.

Best,

Florian


The iked.conf for responder looks like this:
ikev2 'main_to_siteA' passive ipcomp esp \
        from 0.0.0.0/0 to 10.8.2.1/32 \
        from 0.0.0.0/0 to 192.168.30.0/24 \
        from 0.0.0.0/0 to 192.168.37.0/24 \
        from 0.0.0.0/0 to 10.253.0.0/24 \
        local A.B.C.D peer $provider \
        srcid A.B.C.D \
        psk "siteApass" \
        tag "$name-$id"

ikev2 'main_to_siteB' passive ipcomp esp \
        from 0.0.0.0/0 to 10.8.1.1/32 \
        from 0.0.0.0/0 to 192.168.41.0/24 \
        from 0.0.0.0/0 to 192.168.47.0/24 \
        local A.B.C.D peer $provider \
        srcid A.B.C.D \
        psk "siteBpass" \
        tag "$name-$id"

For side A:

ikev2 'site_a_to_main' active esp \
        from 10.8.2.1/32 to 0.0.0.0/0 \
        from 192.168.30.0/24 to 0.0.0.0/0 \
        from 192.168.37.0/24 to 0.0.0.0/0 \
        from 10.253.0.0/24 to 0.0.0.0/0 \
        peer A.B.C.D \
        srcid E.F.G.H \
        dstid A.B.C.D \
        psk "siteApass" \

For side B:

ikev2 'site_b_to_main' active esp \
        from 10.8.1.1/32 to 0.0.0.0/0 \
        from 192.168.41.0/24 to 0.0.0.0/0 \
        from 192.168.47.0/24 to 0.0.0.0/0 \
        peer A.B.C.D \
        srcid I.J.K.L \
        dstid A.B.C.D \
        psk "siteBpass" \

No comments:

Post a Comment