IPsec VPN tunnels to access remote LAN

Hello All,

I have set up three IPsec tunnels that seem to be working fine if used one at a time.
However I am finding an issue when trying to connect from different workstations, such that:

Workstation 1 VPN client –> Eroute0
Workstation 2 VPN client –> Eroute1
Workstation 3 VPN client –> Eroute2

When I connect from different workstations, the VPN tunnel seem to be enable and connected. However, only one tunnel is able to reach remote devices. Below is the event log:

12:58:02, 27 Feb 2020,(2358) IKE SA Removed. Peer: SMA,Successful Negotiation
12:57:59, 27 Feb 2020,Eroute 2 VPN up peer: SMA
12:57:59, 27 Feb 2020,New IPSec SA created by SMA
12:57:59, 27 Feb 2020,(2358) New Phase 2 IKE Session 207.96.147.2,Responder
12:57:58, 27 Feb 2020,(2357) IKE Notification: Initial Contact,RX
12:57:57, 27 Feb 2020,(2356) IKE Keys Negotiated. Peer: SMA
12:57:57, 27 Feb 2020,(2356) New Phase 1 IKE Session 207.96.147.2,Responder
12:55:31, 27 Feb 2020,(2335) IKE SA Removed. Peer: Operator,Successful Negotiation
12:55:28, 27 Feb 2020,Eroute 0 VPN up peer: Operator
12:55:28, 27 Feb 2020,New IPSec SA created by Operator
12:55:28, 27 Feb 2020,(2335) New Phase 2 IKE Session 207.253.198.226,Responder
12:55:18, 27 Feb 2020,(2334) IKE Notification: Initial Contact,RX
12:55:18, 27 Feb 2020,(2250) IKE SA Removed. Peer: Operator,Duplicate SA
12:55:18, 27 Feb 2020,(2332) IKE Keys Negotiated. Peer: Operator
12:55:18, 27 Feb 2020,(2332) New Phase 1 IKE Session 207.253.198.226,Responder
12:53:31, 27 Feb 2020,Eroute 0 VPN down peer: Operator
12:53:31, 27 Feb 2020,IPSec SA Deleted ID Operator,Remote Deleted
12:45:56, 27 Feb 2020,(2210) IKE SA Removed. Peer: SMA,Dead Peer Detected
12:44:17, 27 Feb 2020,(2253) IKE SA Removed. Peer: Operator,Successful Negotiation
12:44:15, 27 Feb 2020,Eroute 0 VPN up peer: Operator
12:44:15, 27 Feb 2020,New IPSec SA created by Operator
12:44:15, 27 Feb 2020,(2253) New Phase 2 IKE Session 207.253.198.226,Responder
12:44:14, 27 Feb 2020,(2252) IKE Notification: Initial Contact,RX
12:44:14, 27 Feb 2020,(2219) IKE SA Removed. Peer: Operator,Duplicate SA
12:44:13, 27 Feb 2020,(2250) IKE Keys Negotiated. Peer: Operator
12:44:13, 27 Feb 2020,(2250) New Phase 1 IKE Session 207.253.198.226,Responder
12:44:08, 27 Feb 2020,Clear Event Log

Does the “Duplica SA” have something to do with this?

When the I used the tunnels one at a time I can access devices remotely.
My objective is to be able to give out VPN tunnels third parties that need to connect to site and allow simultaneous connections to occur.

Hope you can shine some light on this issue !!

Regards,
Sebastian

Hi and welcome to Digi Forums.

Looking at the logs and error message, the initial guess would be that you are using the same ID’s in your configuration and/or your remote sites are using the same configuration. The tunnels are being brought down due to duplicate SAs:

12:55:18, 27 Feb 2020,(2250) IKE SA Removed. Peer: Operator,Duplicate SA

Each of your tunnel configuration should have their unique ID’s and remote network selectors.

You can look at our documentation on our web site which has examples of configurations here: https://www.digi.com/support/productdetail?pid=5644&type=documentation

For any further help or investigation on that issue, please review our support options on our website: https://www.digi.com/support and mail our support team at tech.support@digi.com.

Thank you

Regards

Alex
Digi Technical Support Engineer