I've been labbing this, and I can't seem to get it to behave differently - perhaps you can point out what I'm doing wrong here.
Here's my object group:
MX-to-ASA-ikev2-testing# sho object-group id IKEv2
object-group network IKEv2
description: Local Subnets for IKEv2 VPN
network-object 10.99.99.0 255.255.255.0
network-object 10.100.100.0 255.255.255.0
From there, I bound it to an extended ACL
MX-to-ASA-ikev2-testing# sho run | b access-list
access-list 90 extended permit ip 172.24.6.0 255.255.255.0 172.24.0.0 255.255.255.0
access-list 110 remark - this should allow for multiple traffic selectors in IKEv2
access-list 110 extended permit ip object-group IKEv2 192.168.0.0 255.255.255.0 # 192.168.0.0/24 is the remote on the MX
And then finally the crypto map:
MX-to-ASA-ikev2-testing# sho run | b crypto
crypto ipsec ikev2 ipsec-proposal SECURE
protocol esp encryption aes-256 aes-192 3des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map MXMap 20 match address 110
crypto map MXMap 20 set peer 172.24.0.13
crypto map MXMap 20 set ikev2 ipsec-proposal SECURE
crypto map MXMap 20 set security-association lifetime seconds 28800
crypto map MXMap 20 set security-association lifetime kilobytes unlimited
crypto map MXMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 enable outside
The tunnel is coming up between them, but with the ASA as the responder, it's still only using one of the two proposed traffic selectors:
MX-to-ASA-ikev2-testing# sho crypto ikev2 sa
IKEv2 SAs:
Session-id:3, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
20632227 172.24.6.129/4500 172.24.0.13/4500 READY RESPONDER
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/818 sec
Child sa: local selector 10.99.99.0/0 - 10.99.99.255/65535
remote selector 192.168.0.0/0 - 192.168.0.255/65535
ESP spi in/out: 0x828dcbf7/0xc1d5d2dc
This, in spite of the fact that debugging shows it received selectors for both of its local subnets (don't mind the fact that NTP isn't working):
Jan 02 2003 19:38:32: %ASA-7-711001: (4): Num of TSs: 2, reserved 0x0, reserved 0x0
Jan 02 2003 19:38:32: %ASA-7-711001: (4): TS type: TS_IPV4_ADDR_RANGE, proto id: 1, length: 16
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start port: 2048, end port: 2048
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start addr: 192.168.0.1, end addr: 192.168.0.1
Jan 02 2003 19:38:32: %ASA-7-711001: (4): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start port: 0, end port: 65535
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start addr: 192.168.0.0, end addr: 192.168.0.255
Jan 02 2003 19:38:32: %ASA-7-711001: (4): TSrJan 02 2003 19:38:32: %ASA-7-711001: (4): Next payload: NOTIFY, reserved: 0x0, length: 56
Jan 02 2003 19:38:32: %ASA-7-711001: (4): Num of TSs: 3, reserved 0x0, reserved 0x0
Jan 02 2003 19:38:32: %ASA-7-711001: (4): TS type: TS_IPV4_ADDR_RANGE, proto id: 1, length: 16
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start port: 2048, end port: 2048
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start addr: 10.99.99.2, end addr: 10.99.99.2
Jan 02 2003 19:38:32: %ASA-7-711001: (4): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start port: 0, end port: 65535
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start addr: 10.99.99.0, end addr: 10.99.99.255
Jan 02 2003 19:38:32: %ASA-7-711001: (4): TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start port: 0, end port: 65535
Jan 02 2003 19:38:32: %ASA-7-711001: (4): start addr: 10.100.100.0, end addr: 10.100.100.255