Page 1 of 1

CHR 6.44.3 IPSEC sa-src problem

Posted: Wed Jun 19, 2019 11:43 am
by LarsF
Hello,

I have an odd problem with IPSEC tunnels on CHR - ROS 6.44.3

Having a larger number (80+) CHR in operation, this is the only one i have encountered it on. Hoping that someone has experienced a similar issue, or has input.

Configuration details:
Router is using BGP with underlying transport network, announcing a public range of IP's.
Public range/ip's are used for NAT of any and all outgoing traffic, except RFC1918 ranges.
Configuraton is tested and working on above 80 routers.
Current configuration is working, but seems buggy / random.

Problem:
On this particular router, when configuring IPSEC tunnels, if SA-SRC-ADDRESS is defined, it won't work (phase-2 will fail), however if you let ROS pick a SA-SRC-ADDRESS it works. Problem is that it will randomly choose between a public and private address configured on the router, this causes an issue because we're using an underlying BGP transport network with private adresses, and the router chooses this as the SA-SRC.

The configuration is actually working, my concern is that i don't know why. On previous versions the router would always choose the public IP used for NAT as the SA-SRC-ADDRESS, if chosen automaticly and if this IP was configured it would work just fine.

Any ideas? :)

Sincerely - Lars