But the VPN-Router has a IKE-I-General-failure 0x21ff. All of the sudden
it's a problem that I only want to route specific networks?! IPSec is so
exhausting.
I got it working. The trick is to have iked send the CREATE_CHILD_SA
request / initiate the rekeying first. Either by having lower
ikelifetime and lifetime values than on the VPN-router, or by setting
higher values on the VPN-router than the iked standards.
I configured iked with halved values my LANCOM router uses. This is
stable over time as well as over bytes transferred.
# cat /etc/iked.conf
set dpd_check_interval 30
ikev2 "rathaus" active \
from 192.168.0.0/24 to any \
from dynamic to 192.168.0.0/24 \
from dynamic to 192.168.11.55/32 \
local 192.168.1.210 peer IPv4.example.com \
childsa enc aes-256-gcm group modp2048 \
srcid "/C=DE/ST=.../CN=o2.example.local" \
dstid "/C=DE/ST=.../CN=vpn.example.com" \
ikelifetime 54000 \
lifetime 14400 bytes 1G \
request address any \
iface lo1
