Symptom
ESP traffic forwarding issue when there are two routes present on cedge towards remote IPSEC peer.
Conditions
ESP packets to peer are send out the wrong WAN interface 2, while source interface is WAN 1 and IKE packets are correctly send from 1 interface. So we saw encrypted (sent) ESP counters increasing but there were zero decrypted (received) traffic from Destination.
Once we disabled ECMP route on cedge, this fixed issue and IPSEC tunnel become operational.
Workaround
Should use a Local Policy to redirect IPSec/IKE control packets to the interface in "route via <interface" of the Tunnel.
Step 1. Identify the physical interface associated with the Tunnel in the config
"tunnel route-via GigabitEthernet0/0/0 mandatory"
Step 2. For the Tunnel Destination IP "tunnel destination 165.225.80.37"
Obtain the next hop ip for the interface it has to egress out.
Step 3. Define a access-list and a route map something like shown below:
#sh ip access-lists
Extended IP access list SIG-1
100 permit ip host any (93 matches)
Extended IP access list SIG-2
100 permit ip host any (77 matches)
Set the action of these rules as "set ip next-hop " in the route map.
You could also fine tune the access list by adding the port numbers 4500 and 500.
#sh route-map
route-map SIG-RM, permit, sequence 10
Match clauses:
ip address (access-lists): SIG-1
Set clauses:
ip next-hop 192.168.200.1
Policy routing matches: 179 packets, 22609 bytes
route-map SIG-RM, permit, sequence 35
Match clauses:
ip address (access-lists): SIG-2
Set clauses:
ip next-hop 192.168.0.1
Policy routing matches: 154 packets, 20548 bytes
