Why is there two traffic selectors on an IKEv2 tunnel with only one network configured?

Last modified on 7 Feb, 2022. Revision 6
Why is there two traffic selectors on an IKEv2 tunnel with only one network configured?
Up to date for
14.00.00
Supported since
10.00.xx
Status OK

Question:
When i look at the ikesnoop for my IKEv2 tunnel establishment, why is there two traffic selectors for the initiator and terminator in phase-2? I have only configured one network.

Answer:

The reason for that is because IKEv2 also contains information about exactly which two IP addresses and ports/protocol that was used to initiate the tunnel. This is an example on how it can look in IKEv2:

Initiator<pre style="color: white;background: black;"> TSi (Traffic Selector - Initiator) Traffic selector 1/2 IP protocol : 1 Port range : 2048-2048 Address range: 192.168.3.1-192.168.3.1 Traffic selector 2/2 IP protocol : 0 Port range : 0-0 Address range: 192.168.3.0-192.168.3.255 </pre>Responder<pre style="color: white;background: black;"> TSr (Traffic Selector - Responder) Traffic selector 1/2 IP protocol : 1 Port range : 2048-2048 Address range: 192.168.1.153-192.168.1.153 Traffic selector 2/2 IP protocol : 0 Port range : 0-0 Address range: 192.168.1.0-192.168.1.255</pre>If we first look at the Initiator we see that it first sends a single port range (2048-2048) and the address range 192.168.3.1-192.168.3.1. What this means is that this is a description of whom it was that initiated the tunnel, it was this particular IP that tried to reach something beyond the IPsec tunnel that triggered the start of the tunnel negotiation.

The port range may look a bit strange, but in this case the IP protocol is 1, which means ICMP/ping. Since ICMP does not have a port and a port is required for a traffic selector it is the decimal value of ICMP type 8 (echo request) and code 00 (a request never has any codes). Combined it will be a hex value of 800 which if you convert this to decimal it becomes 2048.

And if we look at the Responder we will have a similar port range there and the address range is once again a single IP, this then is the IP address that the Initiator was trying to reach.

The conclusion is that the tunnel was initiated because source IP 192.168.3.1 sent an ICMP echo request to 192.168.1.153. The tunnel (if it succeeds) will be established to allow networks 192.168.1.0/24 and 192.168.3.0/24 to communicate with each other.

More information about the various ICMP codes can be found here : https://en.wikipedia.org/wiki/Internet_ … e_Protocol

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
cOS Core IKEv2 split tunneling with Windows and local user database.
28 Mar, 2023 ikev2 windows vpn routing splittunneling
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Setting up OSPF with IPsec in cOS Core
21 Dec, 2023 core routing ospf ipsec
cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10
4 Aug, 2023 core ipsec troubleshoot ike
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover