VPN duplicate ISAKMP message received ICX-7450

james_schena — Thu, 22 Apr 2021 17:37:12 GMT

Hub and Spoke topology with multiple IPSEC tunnels going from the Hub to remote spokes for centralized licensing of software. 3 active tunnels, all with identical configurations, minus unique source/destination/authentication combos. 4th area, has the same configurations as the 3 active, again with just the unique combinations.

When debugging ike all at the Hub, I keep receiving 'Duplicate ISAKMP message received' errors, killing the SA and starting the negotiation over again. The Hub shows 2 Ike SA's constructing during this process, then they die and start over.

The spoke shows no error when debugging ike all but fails to negotiate and SA.

Here is the meat and potatoes of the Ike/IPSEC configuration @ the HUB:

ikev2 retry-count 15
ikev2 exchange-max-time 45
ikev2 retransmit-interval 15
ikev2 limit max-in-negotiation-sa 256
ikev2 limit max-sa 200
ikev2 nat disable
!
!
ikev2 auth-proposal A
pre-shared-key A
!
ikev2 auth-proposal B
pre-shared-key 2 B
!
ikev2 auth-proposal C
pre-shared-key 2 C
!
ikev2 auth-proposal D
pre-shared-key 2 D
!
ikev2 auth-proposal E
pre-shared-key 2 E
!
ikev2 auth-proposal F

pre-shared-key 2 F
!
ikev2 auth-proposal G

pre-shared-key 2 G
!
ikev2 auth-proposal H
pre-shared-key 2 H

ikev2 profile A
authentication A
lifetime 240
local-identifier address xx.xx.109.2
remote-identifier address xx.xx.109.1
match-identity local address xx.xx.109.2
match-identity remote address xx.xx.109.1
!
ikev2 profile B
authentication B
lifetime 240
local-identifier address xx.xx.109.17
remote-identifier address xx.xx.109.18
match-identity local address xx.xx.109.17
match-identity remote address xx.xx.109.18
!
ikev2 profile C
authentication C
lifetime 240
local-identifier address xx.xx.109.5
remote-identifier address xx.xx.109.6
match-identity local address xx.xx.109.5
match-identity remote address xx.xx.109.6
!
ikev2 profile D
authentication D
lifetime 240
local-identifier address xx.xx.109.29
remote-identifier address xx.xx.109.30
match-identity local address xx.xx.109.29
match-identity remote address xx.xx.109.30
!
ikev2 profile E
authentication E
lifetime 240
local-identifier address xx.xx.109.33
remote-identifier address xx.xx.109.34
match-identity local address xx.xx.109.33
match-identity remote address xx.xx.109.34
!
ikev2 profile F
authentication F
lifetime 240
local-identifier address xx.xx.109.37
remote-identifier address xx.xx.109.38
match-identity local address xx.xx.109.37
match-identity remote address xx.xx.109.38
!
ikev2 profile G
authentication G
lifetime 240
local-identifier address xx.xx.109.41
remote-identifier address xx.xx.109.42
match-identity local address xx.xx.109.41
match-identity remote address xx.xx.109.42
!
ikev2 profile H
authentication H
lifetime 240
local-identifier address xx.xx.109.45
remote-identifier address xx.xx.109.46
match-identity local address xx.xx.109.45
match-identity remote address xx.xx.109.46

ipsec profile A
ike-profile A
!
ipsec profile B
ike-profile B
!
ipsec profile C
ike-profile C
!
ipsec profile D
ike-profile D
!
ipsec profile E
ike-profile E
!
ipsec profile F
ike-profile F
!
ipsec profile G
ike-profile G
!
ipsec profile H
ike-profile H

interface tunnel A
port-name A
tunnel mode ipsec ipv4
tunnel protection ipsec profile A
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.2
disable
bandwidth 1000000
ip address xx.xx.109.2 255.255.255.252
ip mtu 1425

interface tunnel 1
port-name B
tunnel mode ipsec ipv4
tunnel protection ipsec profile B
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.18
bandwidth 1000000
ip address xx.xx.109.17 255.255.255.252
ip mtu 1425
!
!
interface tunnel 2
port-name C
tunnel mode ipsec ipv4
tunnel protection ipsec profile C
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.6
bandwidth 1000000
ip address xx.xx.109.5 255.255.255.252
ip mtu 1425
!
!
interface tunnel 3
port-name D
tunnel mode ipsec ipv4
tunnel protection ipsec profile D
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.30
disable
bandwidth 1000000
ip address xx.xx.109.29 255.255.255.252
ip mtu 1425
!
!
interface tunnel 4
port-name E
tunnel mode ipsec ipv4
tunnel protection ipsec profile E
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.34
bandwidth 1000000
ip address xx.xx.109.33 255.255.255.252
ip mtu 1425
!
!
interface tunnel 6
port-name F
tunnel mode ipsec ipv4
tunnel protection ipsec profile F
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.38
bandwidth 1000000
ip address xx.xx.109.37 255.255.255.252
!
!
interface tunnel 7
port-name G
tunnel mode ipsec ipv4
tunnel protection ipsec profile G
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.42
disable
bandwidth 1000000
ip address xx.xx.109.41 255.255.255.252
ip mtu 1425
!
!
interface tunnel 8
port-name H
tunnel mode ipsec ipv4
tunnel protection ipsec profile H
tunnel source xx.xx.3.1
tunnel destination xx.xx.109.46
disable
bandwidth 1000000
ip address xx.xx.109.45 255.255.255.252
ip mtu 1425
!
!

Re: VPN duplicate ISAKMP message received ICX-7450

hashim_bharooc1 — Thu, 22 Apr 2021 18:38:30 GMT

Hi James,

Hope you are doing great.

I went thru your configuration, i saw some missing info.

As per our Security guide you are missing VRF for each tunnel.

https://support.ruckuswireless.com/documents/2671-fastiron-08-0-90-ga-security-configuration-guide

Limitations
There are some limitations that impact the use of IPsec for creating secure tunnels.
The following limitations apply:
• Only one active ICX7400-SERVICE-MOD module is supported in a Ruckus ICX 7450 stack.
• Fragmentation is not supported when traffic is routed over an IPSec tunnel; a fragmented IPsec packet received on an
IPv4 IPsec tunnel is dropped because IPsec packets are not re-assembled before decryption.
• GRE and IPsec encapsulation are not performed together for the same flow in the same device.
• When multiple IPSec tunnels are configured on the same device, each IPsec tunnel must have a unique tunnel source, destination, and VRF combination.

For each tunnel you need to configure a vrf, for example tunnel 1 context:

vrf forwarding One (or whatever name you want to give the VRF)

Then steer traffic to the ip address via the tunnel:

ip route vrf One a.b.c.d/24 tunnel 1

Hope this helps.

Thanks

Hashim

Re: VPN duplicate ISAKMP message received ICX-7450

jijo_panangat — Sun, 25 Apr 2021 07:22:54 GMT

Hi James,

If the issue persist, Pls open a support case so one of our engineers can look into this.

Thanks

Jijo

Re: VPN duplicate ISAKMP message received ICX-7450

james_schena — Mon, 26 Apr 2021 19:03:40 GMT

@hashim_bharoocha

Thanks for that information. I will implement this change and see if there is a change with the duplicate ISAKMP. I read it that as if as long as the ENTIRE combination wasn't the same then it was ok; meaning you could have the same sources, different destinations, default vrfs.

topic Re: VPN duplicate ISAKMP message received ICX-7450 in ICX Switches

VPN duplicate ISAKMP message received ICX-7450

Re: VPN duplicate ISAKMP message received ICX-7450

Re: VPN duplicate ISAKMP message received ICX-7450

Re: VPN duplicate ISAKMP message received ICX-7450