topic Re: ZFW and VTI in Network Security

ZFW and VTI

bardellom — Mon, 11 Mar 2019 14:09:14 GMT

I've setup a VTI on two 2821 routers which both have ZFW deployed on them. Without ZFW on the VTI works between the two routers and all traffic passes freely. When I turn on ZFW (basic FW using the wizard) no traffic flows over the VTI. The VTI is up but I cannot ping across it and/or run OSPF. So, the questions I have are:

â€¢ Do I need to create a zone pair (along with the appropriate class-map and policy-map) between the internal interface and the tunnel interface and vice versa?

â€¢ Do I need to create a zone pair between the outside interface and some internal interface?

Thanks

Re: ZFW and VTI

mocah — Fri, 14 Nov 2008 13:57:43 GMT

Can you post config from your router?

Re: ZFW and VTI

torchris — Sun, 23 Nov 2008 21:49:46 GMT

If the internal interface and the tunnel interface are on the same zone, all the traffic is permitted between them.

Then you need to create a Zone-pair between the different interfaces of the router because if there are no zone-pair between them the traffic will fail.

I hope it helps.

Re: ZFW and VTI

mocah — Fri, 12 Jun 2009 13:12:25 GMT

I have same problem as bardellom. Tunnel is up, ISAKMP is established but traffic can not reach the other end. Tunnels are in the same sec. zone as LAN.

Do I need to create Zone-pair between self zone and LAN security zone?

Re: ZFW and VTI

torchris — Fri, 12 Jun 2009 13:52:15 GMT

Hello,

The thing is the following.

By default, the self zone is created once you create a zone.

In order to permit a L2L tunnel to be establish to the router, you will need something like this.

ip access-list ext Tunnel

permit udp any any eq 500

permit udp any any eq 4500

permit esp any any

class-map type inspect match-all VPN

match access-group name Tunnel

policy-map type inspect 2self

class VPN

pass

From the self zone to the out-zone don't, do any zone-pairs, and everything will be implicitly permitted.

For the VTI lines, please do the same but for the SSH and telnet ports.

If you have any questions, please let me know.

Chris - TAC Security Engineer

Re: ZFW and VTI

mocah — Fri, 12 Jun 2009 17:06:30 GMT

Hello torchris,

First I would like to thank you 🙂

I have following config on both routers:

ip access-list extended VPN

permit esp any any

permit udp any any eq isakmp

permit ahp any any

permit udp any any eq non500-isakmp

class-map type inspect match-all ipsec-cmap

match access-group name VPN

policy-map type inspect Internet2Self-pmap

class type inspect ipsec-cmap

inspect

class type inspect ssh-cmap

inspect

class type inspect icmp-cmap

inspect

class class-default

drop

zone-pair security Internet2Self source Internet destination self

service-policy type inspect Internet2Self-pmap

zone-pair security Self2Internet source self destination Internet

service-policy type inspect Internet2Self-pmap

ISAKMP and IPsec tunel are established, only firewall is blocking traffic. This is message from log file:

# %FW-6-DROP_PKT: Dropping Unknown-l4 session xxx.xxx.xxx.84:0 xxx.xxx.xxx.33:0 on zone-pair Internet2Self class class-default due to

# DROP action found in policy-map with ip ident 0

And when I am trying to ping from one tunnel interface to another:

# %FW-6-DROP_PKT: Dropping icmp session 192.168.5.21:0 192.168.1.1:0 due to policy match failure with ip ident 0

Re: ZFW and VTI

torchris — Fri, 12 Jun 2009 17:36:43 GMT

Thanks for the reply.

The problem that you are having is the action on the policy.

Instead of inspect, it should be pass.

The reason for this is that the firewall uses the payload of the packet to inspect the traffic. The thing is that in ESP, the payload is encrypted.

Also, I checked that the ICMP traffic is being dropped.

You can do the following to permit ICMP:

class-map type inspect match-all ICMP2Self

match protocol icmp

policy-map type inspect 2self

class ICMP2Self

pass

That should solve it for the ICMP and ESP traffic.

Re: ZFW and VTI

mocah — Fri, 12 Jun 2009 18:43:49 GMT

Thank you it is working 🙂

One more question.You mentioned:

class-map type inspect match-all ICMP2Self

match protocol icmp

Is icmp traffic also encrypted if I send it from LAN on router 1 to LAN on router 2?

Kind regards, Marko

Re: ZFW and VTI

torchris — Fri, 12 Jun 2009 19:14:36 GMT

Yes, the thing is the following.

If the traffic is from AN on router 1 to LAN on router 2 the flow will be different and the self zone will not participate.

If you try to ping the LAN interface of the router, the packet will get to the router and it will be decrypted, then send to the LAN interface and then through the VPN tunnel.

That means that when the packet gets to the LAN interface it is decrypted.

I hope it helps.