Description

The cOS Core VPN license check towards IPsec tunnels is matched against the amount of IPsec tunnels configured, amount of IKE SA’s or amount of IPsec SA’s. The one with the highest value will be matched against the license.

A way to check which one that has the highest value would be to use the following CLI commands:

• IKE
• IPsec
• IKE -tunnels

The resulting output with most hits will be matched against the license.  This means that based on how the IPsec tunnel(s) are configured there is a chance that we will get near the license limit. A few examples:

Scenario-1:
5 IPsec tunnels configured, one network defined as local and remote network on all of them, all tunnels are established.
License parameters used : 5

Scenario-2:
5 IPsec tunnels configured, one network defined as local and remote network on all of them. None of the tunnels are established/active.
License parameters used : 5

Scenario-3:
1 IPsec tunnel configured, 5 networks configured as local and one network configured as remote, tunnel is established and all network combinations is active.
License parameters used : 5

Scenario-4:
1 IPsec tunnel configured, 5 networks configured as local and 5 networks configured as remote, tunnel is established and 2 local networks is established/mapped towards 3 remote networks.
License parameters used : 6

Scenario-5:
1 IPsec tunnel configured, 5 networks configured as local and 5 networks configured as remote, tunnel is established and all network combinations is active.
License parameters used : 25

Scenario-6:
1 IPsec tunnel configured as a roadwarrior /roaming server, one network defined as local and one remote network (all-nets).
License parameters used : one per connected client. Unless client negotiates multiple IPsec SA’s based on the network it wants to access, then it would be that one client could generate multiple license parameter uses (depends on how the client is configured).

Freeing up tunnels in the license

In case we run into a scenario where the license has hit the limit, one fairly easy way to lower the amount of tunnels used in the license is to combine networks into larger segments. So instead of using several /24 networks in a range we combine it into one big /16. Then there will be fewer negotiations and IPsec SA’s needed.

A very common way to configure tunnels with many networks is to define them as “all-nets”. We still control with routing and rules what should be allowed to/from the tunnel(s). As long as rules and routing are correctly configured the security impact will be kept at a minimum. This also has the advantage that there will be fewer tunnel re-keys and less chance of network “hiccup” when these operations are performed. There is however some pitfalls when configuring tunnels like this, please see the Clavister Cookbook Recipe 2.6 and the subsection called “Alternative IPsec tunnel network definition using all-nets” for more details on this.

https://www.clavister.com/services/resources/configuration-cookbooks/

Question: This has been working fine until recently, i have not made any changes in my configuration. Why did this problem all of a sudden start now?

Answer:

The reason why it could have worked before is most likely because we were close to the limit of the license. Additional VPN clients could have started connecting to the Firewall or that a network combination that was previously not active now started to be in use, which caused the license limit to be exceeded.

Question: I failed to deploy my new configuration with a message about “Allow IPsec rules reached”, is this the same problem that  the license has been exceeded?

Answer:

Yes, most likely this is the same problem that the license has been exceeded. An example on how a failed configuration deployment could look like if this is the case:

IPsec configuration failed with error: "Maximum number of allowed IPsec rules reached. 
Failed to create outbound rule." for tunnel: "IPsec_To_Stockholm"

Related articles