Hub and Spoke topology with multiple IPSEC tunnels going from the Hub to remote spokes for centralized licensing of software. 3 active tunnels, all with identical configurations, minus unique source/destination/authentication combos. 4th area, has the same configurations as the 3 active, again with just the unique combinations.
When debugging ike all at the Hub, I keep receiving 'Duplicate ISAKMP message received' errors, killing the SA and starting the negotiation over again. The Hub shows 2 Ike SA's constructing during this process, then they die and start over.
The spoke shows no error when debugging ike all but fails to negotiate and SA.
Here is the meat and potatoes of the Ike/IPSEC configuration @ the HUB:
ikev2 retry-count 15 ikev2 exchange-max-time 45 ikev2 retransmit-interval 15 ikev2 limit max-in-negotiation-sa 256 ikev2 limit max-sa 200 ikev2 nat disable ! ! ikev2 auth-proposal A pre-shared-key A ! ikev2 auth-proposal B pre-shared-key 2 B ! ikev2 auth-proposal C pre-shared-key 2 C ! ikev2 auth-proposal D pre-shared-key 2 D ! ikev2 auth-proposal E pre-shared-key 2 E ! ikev2 auth-proposal F
pre-shared-key 2 F ! ikev2 auth-proposal G
pre-shared-key 2 G ! ikev2 auth-proposal H pre-shared-key 2 H
ikev2 profile A authentication A lifetime 240 local-identifier address xx.xx.109.2 remote-identifier address xx.xx.109.1 match-identity local address xx.xx.109.2 match-identity remote address xx.xx.109.1 ! ikev2 profile B authentication B lifetime 240 local-identifier address xx.xx.109.17 remote-identifier address xx.xx.109.18 match-identity local address xx.xx.109.17 match-identity remote address xx.xx.109.18 ! ikev2 profile C authentication C lifetime 240 local-identifier address xx.xx.109.5 remote-identifier address xx.xx.109.6 match-identity local address xx.xx.109.5 match-identity remote address xx.xx.109.6 ! ikev2 profile D authentication D lifetime 240 local-identifier address xx.xx.109.29 remote-identifier address xx.xx.109.30 match-identity local address xx.xx.109.29 match-identity remote address xx.xx.109.30 ! ikev2 profile E authentication E lifetime 240 local-identifier address xx.xx.109.33 remote-identifier address xx.xx.109.34 match-identity local address xx.xx.109.33 match-identity remote address xx.xx.109.34 ! ikev2 profile F authentication F lifetime 240 local-identifier address xx.xx.109.37 remote-identifier address xx.xx.109.38 match-identity local address xx.xx.109.37 match-identity remote address xx.xx.109.38 ! ikev2 profile G authentication G lifetime 240 local-identifier address xx.xx.109.41 remote-identifier address xx.xx.109.42 match-identity local address xx.xx.109.41 match-identity remote address xx.xx.109.42 ! ikev2 profile H authentication H lifetime 240 local-identifier address xx.xx.109.45 remote-identifier address xx.xx.109.46 match-identity local address xx.xx.109.45 match-identity remote address xx.xx.109.46
ipsec profile A ike-profile A ! ipsec profile B ike-profile B ! ipsec profile C ike-profile C ! ipsec profile D ike-profile D ! ipsec profile E ike-profile E ! ipsec profile F ike-profile F ! ipsec profile G ike-profile G ! ipsec profile H ike-profile H
interface tunnel A port-name A tunnel mode ipsec ipv4 tunnel protection ipsec profile A tunnel source xx.xx.3.1 tunnel destination xx.xx.109.2 disable bandwidth 1000000 ip address xx.xx.109.2 255.255.255.252 ip mtu 1425
interface tunnel 1 port-name B tunnel mode ipsec ipv4 tunnel protection ipsec profile B tunnel source xx.xx.3.1 tunnel destination xx.xx.109.18 bandwidth 1000000 ip address xx.xx.109.17 255.255.255.252 ip mtu 1425 ! ! interface tunnel 2 port-name C tunnel mode ipsec ipv4 tunnel protection ipsec profile C tunnel source xx.xx.3.1 tunnel destination xx.xx.109.6 bandwidth 1000000 ip address xx.xx.109.5 255.255.255.252 ip mtu 1425 ! ! interface tunnel 3 port-name D tunnel mode ipsec ipv4 tunnel protection ipsec profile D tunnel source xx.xx.3.1 tunnel destination xx.xx.109.30 disable bandwidth 1000000 ip address xx.xx.109.29 255.255.255.252 ip mtu 1425 ! ! interface tunnel 4 port-name E tunnel mode ipsec ipv4 tunnel protection ipsec profile E tunnel source xx.xx.3.1 tunnel destination xx.xx.109.34 bandwidth 1000000 ip address xx.xx.109.33 255.255.255.252 ip mtu 1425 ! ! interface tunnel 6 port-name F tunnel mode ipsec ipv4 tunnel protection ipsec profile F tunnel source xx.xx.3.1 tunnel destination xx.xx.109.38 bandwidth 1000000 ip address xx.xx.109.37 255.255.255.252 ! ! interface tunnel 7 port-name G tunnel mode ipsec ipv4 tunnel protection ipsec profile G tunnel source xx.xx.3.1 tunnel destination xx.xx.109.42 disable bandwidth 1000000 ip address xx.xx.109.41 255.255.255.252 ip mtu 1425 ! ! interface tunnel 8 port-name H tunnel mode ipsec ipv4 tunnel protection ipsec profile H tunnel source xx.xx.3.1 tunnel destination xx.xx.109.46 disable bandwidth 1000000 ip address xx.xx.109.45 255.255.255.252 ip mtu 1425 ! !