Hub and Spoke topology with multiple IPSEC tunnels going from the Hub to remote spokes for centralized licensing of software. 3 active tunnels, all with identical configurations, minus unique source/destination/authentication combos. 4th area, has the same configurations as the 3 active, again with just the unique combinations.
When debugging ike all at the Hub, I keep receiving 'Duplicate ISAKMP message received' errors, killing the SA and starting the negotiation over again. The Hub shows 2 Ike SA's constructing during this process, then they die and start over.
The spoke shows no error when debugging ike all but fails to negotiate and SA.
Here is the meat and potatoes of the Ike/IPSEC configuration @ the HUB:
ikev2 retry-count 15 ikev2 exchange-max-time 45 ikev2 retransmit-interval 15 ikev2 limit max-in-negotiation-sa 256 ikev2 limit max-sa 200 ikev2 nat disable ! ! ikev2 auth-proposal A pre-shared-key A ! ikev2 auth-proposal B pre-shared-key 2 B ! ikev2 auth-proposal C pre-shared-key 2 C ! ikev2 auth-proposal D pre-shared-key 2 D ! ikev2 auth-proposal E pre-shared-key 2 E ! ikev2 auth-proposal F
pre-shared-key 2 F ! ikev2 auth-proposal G
pre-shared-key 2 G ! ikev2 auth-proposal H pre-shared-key 2 H
ikev2 profile A authentication A lifetime 240 local-identifier address xx.xx.109.2 remote-identifier address xx.xx.109.1 match-identity local address xx.xx.109.2 match-identity remote address xx.xx.109.1 ! ikev2 profile B authentication B lifetime 240 local-identifier address xx.xx.109.17 remote-identifier address xx.xx.109.18 match-identity local address xx.xx.109.17 match-identity remote address xx.xx.109.18 ! ikev2 profile C authentication C lifetime 240 local-identifier address xx.xx.109.5 remote-identifier address xx.xx.109.6 match-identity local address xx.xx.109.5 match-identity remote address xx.xx.109.6 ! ikev2 profile D authentication D lifetime 240 local-identifier address xx.xx.109.29 remote-identifier address xx.xx.109.30 match-identity local address xx.xx.109.29 match-identity remote address xx.xx.109.30 ! ikev2 profile E authentication E lifetime 240 local-identifier address xx.xx.109.33 remote-identifier address xx.xx.109.34 match-identity local address xx.xx.109.33 match-identity remote address xx.xx.109.34 ! ikev2 profile F authentication F lifetime 240 local-identifier address xx.xx.109.37 remote-identifier address xx.xx.109.38 match-identity local address xx.xx.109.37 match-identity remote address xx.xx.109.38 ! ikev2 profile G authentication G lifetime 240 local-identifier address xx.xx.109.41 remote-identifier address xx.xx.109.42 match-identity local address xx.xx.109.41 match-identity remote address xx.xx.109.42 ! ikev2 profile H authentication H lifetime 240 local-identifier address xx.xx.109.45 remote-identifier address xx.xx.109.46 match-identity local address xx.xx.109.45 match-identity remote address xx.xx.109.46
ipsec profile A ike-profile A ! ipsec profile B ike-profile B ! ipsec profile C ike-profile C ! ipsec profile D ike-profile D ! ipsec profile E ike-profile E ! ipsec profile F ike-profile F ! ipsec profile G ike-profile G ! ipsec profile H ike-profile H
interface tunnel A port-name A tunnel mode ipsec ipv4 tunnel protection ipsec profile A tunnel source xx.xx.3.1 tunnel destination xx.xx.109.2 disable bandwidth 1000000 ip address xx.xx.109.2 255.255.255.252 ip mtu 1425
interface tunnel 1 port-name B tunnel mode ipsec ipv4 tunnel protection ipsec profile B tunnel source xx.xx.3.1 tunnel destination xx.xx.109.18 bandwidth 1000000 ip address xx.xx.109.17 255.255.255.252 ip mtu 1425 ! ! interface tunnel 2 port-name C tunnel mode ipsec ipv4 tunnel protection ipsec profile C tunnel source xx.xx.3.1 tunnel destination xx.xx.109.6 bandwidth 1000000 ip address xx.xx.109.5 255.255.255.252 ip mtu 1425 ! ! interface tunnel 3 port-name D tunnel mode ipsec ipv4 tunnel protection ipsec profile D tunnel source xx.xx.3.1 tunnel destination xx.xx.109.30 disable bandwidth 1000000 ip address xx.xx.109.29 255.255.255.252 ip mtu 1425 ! ! interface tunnel 4 port-name E tunnel mode ipsec ipv4 tunnel protection ipsec profile E tunnel source xx.xx.3.1 tunnel destination xx.xx.109.34 bandwidth 1000000 ip address xx.xx.109.33 255.255.255.252 ip mtu 1425 ! ! interface tunnel 6 port-name F tunnel mode ipsec ipv4 tunnel protection ipsec profile F tunnel source xx.xx.3.1 tunnel destination xx.xx.109.38 bandwidth 1000000 ip address xx.xx.109.37 255.255.255.252 ! ! interface tunnel 7 port-name G tunnel mode ipsec ipv4 tunnel protection ipsec profile G tunnel source xx.xx.3.1 tunnel destination xx.xx.109.42 disable bandwidth 1000000 ip address xx.xx.109.41 255.255.255.252 ip mtu 1425 ! ! interface tunnel 8 port-name H tunnel mode ipsec ipv4 tunnel protection ipsec profile H tunnel source xx.xx.3.1 tunnel destination xx.xx.109.46 disable bandwidth 1000000 ip address xx.xx.109.45 255.255.255.252 ip mtu 1425 ! !
Limitations There are some limitations that impact the use of IPsec for creating secure tunnels. The following limitations apply: • Only one active ICX7400-SERVICE-MOD module is supported in a Ruckus ICX 7450 stack. • Fragmentation is not supported when traffic is routed over an IPSec tunnel; a fragmented IPsec packet received on an IPv4 IPsec tunnel is dropped because IPsec packets are not re-assembled before decryption. • GRE and IPsec encapsulation are not performed together for the same flow in the same device. • When multiple IPSec tunnels are configured on the same device, each IPsec tunnel must have a unique tunnel source, destination, and VRF combination.
For each tunnel you need to configure a vrf, for example tunnel 1 context:
vrf forwarding One (or whatever name you want to give the VRF)
Then steer traffic to the ip address via the tunnel:
Thanks for that information. I will implement this change and see if there is a change with the duplicate ISAKMP. I read it that as if as long as the ENTIRE combination wasn't the same then it was ok; meaning you could have the same sources, different destinations, default vrfs.