Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor

IKE Main Mode ID

Hello CheckMates,

I was looking for some guidance about the IKE Main Mode ID parameter that is negotiated during phase 1. The escenario is the following:

one gateway with three external interfaces, R80.40 JHA Take 94 centrally managed. All interfaces are used to negotiate s2s vpn's with third parties. Almost every time the customer creates a new vpn (and they do very often) we see that CheckPoitn Gateway sends its main ip address as IKE Main Mode ID on packet MM 5/6. In the last time we have seen more and more peers rejecting IKE Main Mode ID when it does not match the external IP address, so we have to ask them to accept the ID to get the vpn up. In previous situations, for example with Cisco devices, sending Main IP address as the ID did not cause any problems, but now we see this has changed and have problems.

So looking for a solution i found sk44978 that recommends to use " 'Selected address from topology table' or 'Statically NATed IP' option will affect the IPv4 address used as the IKE ID in Main Mode Packet 5." These two options are not usefull for this customer because it is not only one IP address that must be used, but three different IP address (three external interfaces) in different vpn's.

Also asked TAC to see if this can be set manually per community and told it is not possible.

And finally we have the option "IKE MM-ID based on routing" from our good friend sk108600 scenario 2, it seems to be our best option but it also applies to all s2s vpn's i think.

So my question is if the other options on link selection, for example "Calculate IP based on network topology" should affect the IKE Main Mode ID on packet MM 5/6? or "IKE MM-ID based on routing" is our only option to set manually through routes?. Our current configuration is attached. 

 

Thanks in advance.

0 Kudos
1 Reply
_Val_
Admin
Admin

I think you already have your answer. You cannot use three different IKE Main Mode IDs on the same GW at once. Your solution would be to run VSX, where a single VS is attached to an external interface, or to change the design and use a single ID for all VPNs.

VSX option seems to be the best way forward, if you want to keep all three S"S VPNs on different external IPs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events