2 polices for one peer in ip ipsec with Cisco

hi, all

I have one ip ipsec peer and 2 policy.

ip ipsec peer print
Flags: X - disabled
0 address=1.2.3.4/32:500 auth-method=pre-shared-key secret=“PreKey” generate-policy=no
exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1h lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.10.10.0/24:any dst-address=192.168.0.0/24:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=1.2.3.4 proposal=default priority=0

1 src-address=10.10.10.0/24:any dst-address=172.16.0.0/24:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=1.2.3.4 proposal=default priority=0


On other side I have Cisco router (with dynamic vpn).

The problem:

• if ipsec connection with remote-peer is not started and I make ping 192.168.0.1 src-address=10.10.10.1 - the tunnel is up but is only for 192.168.0.0/24 direction
• if ipsec connection with remote-peer is not started and I make ping 172.16.0.1 src-address=10.10.10.1 - the tunnel is up but is only for 172.16.0.0/24 direction
  It depend that packet (with destination ip) was first.

I need working 2 polices in same time?

Please help

additional info:
From MikroTik
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=1.2.3.4/32:500 auth-method=pre-shared-key secret=“PreKey” generate-policy=no
exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=1h lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

[admin@MikroTik] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.10.10.0/24:any dst-address=192.168.0.0/24:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=1.2.3.4 proposal=default priority=0

1 src-address=10.10.10.0/24:any dst-address=172.16.0.0/24:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=1.2.3.4 proposal=default priority=0

[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled
0 name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.10.10.0/24 dst-address=172.16.0.0/24
1 chain=srcnat action=accept src-address=10.10.10.0/24 dst-address=192.168.0.0/24 src-address-list=“”
2 chain=srcnat action=masquerade

[admin@MikroTik] > ping 172.16.0.1 src-address=10.10.10.1
172.16.0.1 64 byte ping: ttl=121 time=98 ms
172.16.0.1 64 byte ping: ttl=121 time=98 ms
172.16.0.1 64 byte ping: ttl=121 time=98 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 98/98.0/98 ms

[admin@MikroTik] > ping 192.168.0.1 src-address=10.10.10.1
192.168.0.1 ping timeout
192.168.0.1 ping timeout
192.168.0.1 ping timeout
4 packets transmitted, 0 packets received, 100% packet loss

[admin@MikroTik] > ip ipsec installed-sa flush sa-type=all

[admin@MikroTik] > ping 192.168.0.1 src-address=10.10.10.1
192.168.0.1 64 byte ping: ttl=255 time=19 ms
192.168.0.1 64 byte ping: ttl=255 time=20 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 19/19.5/20 ms

[admin@MikroTik] > ping 172.16.0.1 src-address=10.10.10.1
172.16.0.1 ping timeout
172.16.0.1 ping timeout
172.16.0.1 ping timeout
172.16.0.1 ping timeout
5 packets transmitted, 0 packets received, 100% packet loss


After “ip ipsec installed-sa flush” which ping was first, that ipsec flow tunnel work


On Cisco router I have:

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 1.2.3.5 port 500
IKE SA: local 1.2.3.4/500 remote 1.2.3.5/500 Active
IPSEC FLOW: permit ip 172.16.0.0/255.255.255.0 10.10.10.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 10.10.10.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map

Try this:

/ip ipsec policy set 0 level=unique
/ip ipsec policy set 1 level=unique

Whenever you have multiple policies with a Cisco device you need to set your policy level to unique.

Whenever you have multiple policies with a Cisco device you need to set your policy level to unique.

Can you explain why this is?

Thanks,

-Rob

When dealling with multiple remote subnets, Cisco handles them differently (a separate SA per subnet pair) and other vendors are required to accomodate. Therefore, with Mikrotik you need to change the level under /ip ipsec policy to ‘unique’.