This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VPN duplicate ISAKMP message received ICX-7450

james_schena
New Contributor II

‎04-22-2021 10:37 AM

Hub and Spoke topology with multiple IPSEC tunnels going from the Hub to remote spokes for centralized licensing of software. 3 active tunnels, all with identical configurations, minus unique source/destination/authentication combos. 4th area, has the same configurations as the 3 active, again with just the unique combinations. 

When debugging ike all at the Hub, I keep receiving 'Duplicate ISAKMP message received' errors, killing the SA and starting the negotiation over again. The Hub shows 2 Ike SA's constructing during this process, then they die and start over. 

The spoke shows no error when debugging ike all but fails to negotiate and SA. 

Here is the meat and potatoes of the Ike/IPSEC configuration @ the HUB:

ikev2 retry-count 15
ikev2 exchange-max-time 45
ikev2 retransmit-interval 15
ikev2 limit max-in-negotiation-sa 256
ikev2 limit max-sa 200
ikev2 nat disable
!
!
ikev2 auth-proposal A
 pre-shared-key A
!
ikev2 auth-proposal B
 pre-shared-key 2 B
!
ikev2 auth-proposal C
 pre-shared-key 2 C
!
ikev2 auth-proposal D
 pre-shared-key 2 D
!
ikev2 auth-proposal E
 pre-shared-key 2 E
!
ikev2 auth-proposal F

 pre-shared-key 2 F
!
ikev2 auth-proposal G

 pre-shared-key 2 G
!
ikev2 auth-proposal H
 pre-shared-key 2 H

!

ikev2 profile A
 authentication A
 lifetime 240
 local-identifier address xx.xx.109.2
 remote-identifier address xx.xx.109.1
 match-identity local address xx.xx.109.2
 match-identity remote address xx.xx.109.1
!
ikev2 profile B
 authentication B
 lifetime 240
 local-identifier address xx.xx.109.17
 remote-identifier address xx.xx.109.18
 match-identity local address xx.xx.109.17
 match-identity remote address xx.xx.109.18
!
ikev2 profile C
 authentication C
 lifetime 240
 local-identifier address xx.xx.109.5
 remote-identifier address xx.xx.109.6
 match-identity local address xx.xx.109.5
 match-identity remote address xx.xx.109.6
!
ikev2 profile D
 authentication D
 lifetime 240
 local-identifier address xx.xx.109.29
 remote-identifier address xx.xx.109.30
 match-identity local address xx.xx.109.29
 match-identity remote address xx.xx.109.30
!
ikev2 profile E
 authentication E
 lifetime 240
 local-identifier address xx.xx.109.33
 remote-identifier address xx.xx.109.34
 match-identity local address xx.xx.109.33
 match-identity remote address xx.xx.109.34
!
ikev2 profile F
 authentication F
 lifetime 240
 local-identifier address xx.xx.109.37
 remote-identifier address xx.xx.109.38
 match-identity local address xx.xx.109.37
 match-identity remote address xx.xx.109.38
!
ikev2 profile G
 authentication G
 lifetime 240
 local-identifier address xx.xx.109.41
 remote-identifier address xx.xx.109.42
 match-identity local address xx.xx.109.41
 match-identity remote address xx.xx.109.42
!
ikev2 profile H
 authentication H
 lifetime 240
 local-identifier address xx.xx.109.45
 remote-identifier address xx.xx.109.46
 match-identity local address xx.xx.109.45
 match-identity remote address xx.xx.109.46

!

ipsec profile A
 ike-profile A
!
ipsec profile B
 ike-profile B
!
ipsec profile C
 ike-profile C
!
ipsec profile D
 ike-profile D
!
ipsec profile E
 ike-profile E
!
ipsec profile F
 ike-profile F
!
ipsec profile G
 ike-profile G
!
ipsec profile H
 ike-profile H

!

interface tunnel A
 port-name A
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile A
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.2
 disable
 bandwidth 1000000
 ip address xx.xx.109.2 255.255.255.252
 ip mtu 1425

!

interface tunnel 1
 port-name B
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile B
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.18
 bandwidth 1000000
 ip address xx.xx.109.17 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 2
 port-name C
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile C
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.6
 bandwidth 1000000
 ip address xx.xx.109.5 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 3
 port-name D
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile D
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.30
 disable
 bandwidth 1000000
 ip address xx.xx.109.29 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 4
 port-name E
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile E
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.34
 bandwidth 1000000
 ip address xx.xx.109.33 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 6
 port-name F
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile F
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.38
 bandwidth 1000000
 ip address xx.xx.109.37 255.255.255.252
!
!
interface tunnel 7
 port-name G
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile G
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.42
 disable
 bandwidth 1000000
 ip address xx.xx.109.41 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 8
 port-name H
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile H
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.46
 disable
 bandwidth 1000000
 ip address xx.xx.109.45 255.255.255.252
 ip mtu 1425
!
!

0 Kudos
3 REPLIES 3

hashim_bharooc1
RUCKUS Team Member

‎04-22-2021 11:38 AM

Hi James,

Hope you are doing great.

I went thru your configuration, i saw some missing info.

As per our Security guide you are missing VRF for each tunnel.

https://support.ruckuswireless.com/documents/2671-fastiron-08-0-90-ga-security-configuration-guide

Limitations
There are some limitations that impact the use of IPsec for creating secure tunnels.
The following limitations apply:
• Only one active ICX7400-SERVICE-MOD module is supported in a Ruckus ICX 7450 stack.
• Fragmentation is not supported when traffic is routed over an IPSec tunnel; a fragmented IPsec packet received on an
IPv4 IPsec tunnel is dropped because IPsec packets are not re-assembled before decryption.
• GRE and IPsec encapsulation are not performed together for the same flow in the same device.
• When multiple IPSec tunnels are configured on the same device, each IPsec tunnel must have a unique tunnel source, destination, and VRF combination.

For each tunnel you need to configure a vrf, for example tunnel 1 context:

vrf forwarding One (or whatever name you want to give the VRF)

Then steer traffic to the ip address via the tunnel:

ip route vrf One a.b.c.d/24 tunnel 1

Hope this helps.

Thanks

Hashim

0 Kudos

james_schena
New Contributor II
In response to hashim_bharooc1

‎04-26-2021 12:03 PM

@hashim_bharoocha

Thanks for that information. I will implement this change and see if there is a change with the duplicate ISAKMP. I read it that as if as long as the ENTIRE combination wasn't the same then it was ok; meaning you could have the same sources, different destinations, default vrfs.

0 Kudos

jijo_panangat
RUCKUS Team Member

‎04-25-2021 12:22 AM

Hi James,

If the issue persist, Pls open a support case so one of our engineers can look into this.

Thanks

Jijo 

0 Kudos
Copyright © 2024 Khoros, LLC