DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2830 with multiple IPSec tunnels to same IP

dansorion
Topic Author
User

12 Mar 2018 15:43 #1 by dansorion

Vigor 2830 with multiple IPSec tunnels to same IP was created by dansorion

Does the Vigor 2830 support multiple IPSec LAN-2-LAN tunnels to the same remote gateway IP address? We have a customer who requires us to have a separate tunnel for each IP address that we need to access in their network, and we have configured two tunnels with the appropriate settings. The only difference between these is the Remote Network IP and Mask settings, where each is set to the single IP address for the host that the tunnel should be used to access. We can bring up either tunnel on it's own without any problems, but as soon as we try to have both up at once the earlier connected one will be dropped. We are working with our customer to determine if their Cisco ASA is at fault here, but they are adamant that initial investigation shows that it's our 2830 that is dropping the connection.

192.168.1.1 is a placeholder for the public IP for the Vigor, we only have 1 IP address assigned. For the tunnel we are using the following TCP/IP Network Settings (both have Server IP/Host NAme for VPN in section 2 to 10.1.1.1), where 10.2.2.2 is the remote LAN IP for VPN1, and 10.3.3.3 is the remote LAN IP for VPN2

VPN1
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 10.2.2.2
Remote Network Mask: 255.255.255
Local Network IP: 192.168.1.1
Local Network Mask: 255.255.255.255

VPN2
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 10.3.3.3
Remote Network Mask: 255.255.255
Local Network IP: 192.168.1.1
Local Network Mask: 255.255.255.255

I've had to split the post into two parts to include the log, see below ...

Please Log in or Create an account to join the conversation.

dansorion
Topic Author
User

12 Mar 2018 15:45 #2 by dansorion

Replied by dansorion on topic Re: Vigor 2830 with multiple IPSec tunnels to same IP

Here's the log extract, with the IP addresses replaced (10.1.1.1 is the remote VPN IP address, 10.2.2.2 is the remote LAN IP for VPN1, and 10.3.3.3 is the remote LAN IP for VPN2).



Code:

 2018-03-12 15:07:40  IKE_RELEASE VPN : L2L Dial-out, Profile index = 2, Name = VPN2, ifno = 12 
 2018-03-12 15:07:40  [L2L][DOWN][IPSec][@2:VPN2] 
 2018-03-12 15:07:36  [L2L][UP][IPSec][@1:VPN1] 
 2018-03-12 15:07:36  sent QI2, IPsec SA established with 10.1.1.1. In/Out Index: 0/-1 
 2018-03-12 15:07:36  IPsec SA #139 will be replaced after 2850 seconds 
 2018-03-12 15:07:36  Client L2L remote network setting is 10.2.2.2/32 
 2018-03-12 15:07:36  Start IKE Quick Mode to 10.1.1.1 
 2018-03-12 15:07:36  ISAKMP SA established with 10.1.1.1. In/Out Index: 0/-1 
 2018-03-12 15:07:36  ISAKMP SA #138 will be replaced after 19800 seconds 
 2018-03-12 15:07:36  NAT-Traversal: Using draft-ietf-ipsec-nat-t-ike-02/03, no NAT detected 
 2018-03-12 15:07:36  Initiating IKE Main Mode to 10.1.1.1
 2018-03-12 15:07:36  Dialing Node1 (VPN1) : 10.1.1.1 
 2018-03-12 15:07:27  IKE_RELEASE VPN : L2L Dial-out, Profile index = 1, Name = VPN1, ifno = 11 
 2018-03-12 15:07:27  [L2L][DOWN][IPSec][@1:VPN1] 
 2018-03-12 15:07:25  [L2L][UP][IPSec][@2:VPN2] 
 2018-03-12 15:07:25  sent QI2, IPsec SA established with 10.1.1.1. In/Out Index: 0/-2 
 2018-03-12 15:07:25  IPsec SA #137 will be replaced after 2963 seconds 
 2018-03-12 15:07:25  Client L2L remote network setting is 10.3.3.3/32 
 2018-03-12 15:07:25  Start IKE Quick Mode to 10.1.1.1 
 2018-03-12 15:07:25  ISAKMP SA established with 10.1.1.1. In/Out Index: 0/-2 
 2018-03-12 15:07:25  ISAKMP SA #136 will be replaced after 21544 seconds 
 2018-03-12 15:07:25  NAT-Traversal: Using draft-ietf-ipsec-nat-t-ike-02/03, no NAT detected 
 2018-03-12 15:07:25  Initiating IKE Main Mode to 10.1.1.1 
 2018-03-12 15:07:25  Dialing Node2 (VPN2) : 10.1.1.1

At the start of this log, VPN1 is already connected, and the VPN2 tunnel has been started. What appears to be happening is that when the VPN2 connection is established the VPN1 connection is then dropped, but as this is set to autodial and there is still a PC on our network that needs that connection it redials. VPN1 comes back up, VPN2 drops. We are not trying to use this to bond multiple connections, we really do need two separate IPSec tunnels to the same gateway at the same time. Each tunnel is mapped to a specific IP address at the remote end, and only allows connections to those specific IP addresses. The customer will not modify one of the connections so that it handles both addresses on their LAN on a single tunnel, and they claim that other customers use a similar setup with one tunnel per LAN IP for remotely supporting equipment at their site.

So back to the question ... is the Vigor not allowing two connections to the same remote gateway, or is the customer Cisco ASA dropping the connection?

Dan

Please Log in or Create an account to join the conversation.

dansorion
Topic Author
User

12 Mar 2018 16:16 #3 by dansorion

Replied by dansorion on topic Re: Vigor 2830 with multiple IPSec tunnels to same IP

I've also tried adding the second remote LAN IP to the More section in the TCP/IP settings, both with and without the option to create a new SA for each. On the first connection both tunnels appear to come up, but a few seconds later the first one drops and only the second one remains.

At the Cisco ASA end the tunnels requires that the Local Network IP and Netmask are identical, as these are used as part of initial ACL checks at the Cisco end before it will look up the IPSec configuration and create the tunnel, so we can't even adjust these so that the Vigor sees the tunnels as having different settings at both ends.

Dan

Please Log in or Create an account to join the conversation.