SRP547W Multiple IPSec policies through single IKE policy

matthew.cameron · ‎04-08-2012

I am trying to create a VPN between an SRP547W and a Cisco IOS router, in this case a UC540.I am running firmware 1.2.4 (003) Jan 11 2012

Now I can do this with an SRP527W and many other routers successfully. Including other IOS routers 1801, 1941 etc.

The issue I have is on the SRP547W I cannot create more than one IPSec Policy through a single IKE policy. I require this to route multiple vlans to our remote site.

When I try to add an additional IPSec Policy I am give the error "IKE policy has been used by other IPSec policy"

This is possible to do on the SRP527W with latest firmware. I have tried rolling back to earlier firmware but instead I am given an error about overlap.

Latest release note for this firmware suggest this issue was already resolved.

Any help much appreciated.

weslsmit · ‎04-10-2012

Hello Matthew,

Sorry to hear you are having difficulty.

I was able to test this on firmware 1.02.01 and get the overlap error that you mention. I resolved it by choosing "IP address & subnet mask" in the local selection field. When I used "IP Address" I received the same error unless I changed the IP address to something (other that the one used in the first policy) under the local traffic selection then it allowed a succesful submission. The remote traffic selector or ip address doesn't not have any bearing on the error.

Are you using the same local IP address for each IPSec policy and if you are, try changing the local IP selector to IP+Subnet mask. Also as a reminder, the number of IPSec policies is based on bandwidth limitations and most often no more that 2 site-to-site tunnels can connect at a single time.

Please let me know if this helps.

Best regards,

Wesley S.

Cisco SBSC

matthew.cameron · ‎04-10-2012

Hi Wesley,

This is not an option. I require the remote VLANS to be routable from the entire local Vlan. For example

Remote Vlans:

10.0.0.0

10.0.2.0

10.0.3.0

Local Vlans:

10.20.1.0

10.20.2.0

Single IP adrdessing will only help with one device. There is clearly a bug in the firmware for the 547 as apposed to the 527.

Andrew Hickman · ‎04-11-2012

Hi Matthew,

The issue of not being able to reuse IKE policies is known and will be addressed in our next maintenance release.

As a work around, have you tried creating a policy using a supernet of the required addresses?

i.e. local selection = 10.20.0.0 mask 255.255.252.0, remote 10.0.0.0 mask 255.255.252.0

This is not a perfect reflection of your requirement, but ought to be sufficient to get things working for you.

Regards,

Andy

matthew.cameron · ‎04-12-2012

Hi Andrew,

I would have to downgrade software again to test and unfortunatley have had to put this unit into production with just the Data vlan.

Is there a release date for the next maintenance release?

Cheers

Matthew

Andrew Hickman · ‎04-12-2012

Hi Matthew,

We don't have a specific date at the moment. Probably some time in the summer.

Regards,

Andy

parallaxtech · ‎05-10-2012

I'm also running into the same problems. Any update as to when the next patch will be released?

Adam

Andrew Hickman · ‎05-11-2012

We're currently planning the next release for the end of this summer.