Anyone know if it's possible to have multiple traffic selector on a sVTI ipsec site to site interface when the router(cisco 2901 15.2) is the SA initiator?
To explain a little more, I have a tunnel (ikeV2) between 184.108.40.206 and 220.127.116.11 (not my reals IPs). I want network from 172.17.0.0/16 and 192.168.0.0/24 to go through it to 192.168.17.0/24
My problem is I only manage to have one child SA, (192.168.0.0/24 === 192.168.17.0/24) instead of two ( 172.17.0.0/16 192.168.0.0/24 === 192.168.17.0/24)
Is it a VTI limitation or a bad configuration on my side??
I know it is possible to have multiple Child SA working on a single tunnel when router is not the Initiator of SA but the responder. Unfortunatly in this case, I really need to be the initiator because I'm the spoke, and hub peers are only responders (and I don't control them).
Here a very little of my configuration:
ip unnumbered GigabitEthernet0/0
tunnel source 18.104.22.168
tunnel mode ipsec ipv4
tunnel destination 22.214.171.124
tunnel protection ipsec profile ipsec_profile_v2
ip route 192.168.0.0 255.255.255.0 172.19.0.1
ip route 172.17.0.0 255.255.0.0 172.19.0.1
ip route 192.168.17.0 255.255.255.0 Tunnel1
ip route 10.0.0.0 255.255.255.0 Tunnel2
Here, we can see there is no Child sa for 172.17.0.0/16 network:
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...