Why is there two traffic selectors on an IKEv2 tunnel with only one network configured?

Frequently Asked Questions
Post Reply
Peter
Posts: 668
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Why is there two traffic selectors on an IKEv2 tunnel with only one network configured?

Post by Peter » 06 Feb 2019, 14:08

This FAQ applies to:
  • cOS Core version 10 and up, Any version of cOS Stream

Question:
When i look at the ikesnoop for my IKEv2 tunnel establishment, why is there two traffic selectors for the initiator and terminator in phase-2? I have only configured one network.

Answer:

The reason for that is because IKEv2 also contains information about exactly which two IP addresses and ports/protocol that was used to initiate the tunnel. This is an example on how it can look in IKEv2:

Initiator
    TSi (Traffic Selector - Initiator)
      Traffic selector 1/2
        IP protocol  : 1
        Port range   : 2048-2048
        Address range: 192.168.3.1-192.168.3.1
      Traffic selector 2/2
        IP protocol  : 0
        Port range   : 0-0
        Address range: 192.168.3.0-192.168.3.255
Responder
    TSr (Traffic Selector - Responder)
      Traffic selector 1/2
        IP protocol  : 1
        Port range   : 2048-2048
        Address range: 192.168.1.153-192.168.1.153
      Traffic selector 2/2
        IP protocol  : 0
        Port range   : 0-0
        Address range: 192.168.1.0-192.168.1.255
If we first look at the Initiator we see that it first sends a single port range (2048-2048) and the address range 192.168.3.1-192.168.3.1. What this means is that this is a description of whom it was that initiated the tunnel, it was this particular IP that tried to reach something beyond the IPsec tunnel that triggered the start of the tunnel negotiation.

The port range may look a bit strange, but in this case the IP protocol is 1, which means ICMP/ping. Since ICMP does not have a port and a port is required for a traffic selector it is the decimal value of ICMP type 8 (echo request) and code 00 (a request never has any codes). Combined it will be a hex value of 800 which if you convert this to decimal it becomes 2048.

And if we look at the Responder we will have a similar port range there and the address range is once again a single IP, this then is the IP address that the Initiator was trying to reach.

The conclusion is that the tunnel was initiated because source IP 192.168.3.1 sent an ICMP echo request to 192.168.1.153. The tunnel (if it succeeds) will be established to allow networks 192.168.1.0/24 and 192.168.3.0/24 to communicate with each other.

More information about the various ICMP codes can be found here : https://en.wikipedia.org/wiki/Internet_ ... e_Protocol

Post Reply