Hello,
I have a question that is maybe easy to answer as I believe i'm missing something small regarding IPSec Site2Site communication.
Target: I am trying to implement a cost effective solution using Ubiquiti EdgeRouter Poe-5 which will replace a hub to spoke Cisco IPSec Site2Site topology.
Current Solution: Cisco ASA hub to spoke solution using 5505 spokes and 5520 as hub. Network-Objects configured as 8bit,12bit and 16bit masks to represent traffic for remote 24bit mask subnets. ACL's configured to allow the 8bit, 12bit and 16bit mask traffic. (Example) Object-Group: "CompanyName" with Network-Objects: "10.0.0.0/8, 192.168.0.0/16, 172.16.0.0./12" and ACL's configured to reflect incoming traffic.
Issue: When trying to add the ER Poe-5 to this IPSec S2S topology I run into this issue:
-Example: inside (local) subnet 172.16.100.0/24 with remote subnets "tunnel 1 remote 10.0.0.0/8, tunnel 2 remote 192.168.0.0/16" works (Phase 1 ISAKMP traffic up and Phase 2 IPSec ESP traffic confirmed). I can communicate with remote spoke subnets such as "192.168.2.1/24, 192.168.3.1/24, 10.0.1.0/24 and 10.0.2.0/24". However when I add/commit "tunnel 3 remote 172.16.0.0/12" as a remote subnet the ER Poe-5 becomes unresponive via console and ssh and reboots.
Possible Issue Cause: I believe this is because my inside subnet is 172.16.100.0/24 and falls within the remote subnet 172.16.0.0/12 subnet range I am attempting to configure. In the attached configuration the remote peer is the hub Cisco ASA 5520 outside (1.1.1.1). Its ACL is configured to allow the traffic:
10.0.0.0/8
192.168.0.0/16
172.16.0.0/12
The spoke peer outside address is (2.2.2.2) which is eth0 of the EdgeRouter.
I have not used the wizards, the attached configuration was commited by command line only. Maybe I missed something.
Ubnt v1.9.0
Kind Regards