Re: IOS CBAC Firewall blocking router originated VPN traffic

pingduck · ‎11-28-2017

I ran into a little mystery that I am having trouble solving.

I have a router running Classic IOS 15.6(3)M image. It originates a FlexVPN to a VPN Concentrator. I have a CBAC FW policy like this:

ip access-list extended filter-internet
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any packet-too-big
 permit udp any eq bootps host 255.255.255.255 eq bootpc

ip inspect udp idle-time 60
ip inspect name permit-outbound tcp router-traffic
ip inspect name permit-outbound udp router-traffic

interface Gig0
 ip address dhcp
 ip access-group filter-internet in
 ip inspect permit-outbound out
 no shut

It works fine when the VPN HeadEnd is in the cloud. But for some reasons, when I have a point-to-point link in my lab, the traffic does not go through even though the VPN tunnel established without issue.

I noticed that when it was working, using "show ip inspect sessions", the VPN is using UDP 4500. The VPN tunnel is still at UDP 500. Adding a log statement to the ACL confirms that the ACL is dropping UDP 500 traffic from the VPN HeadEnd. But clearly I have a CBAC session of UDP 500.

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         25.25.25.25/500       25.25.25.1/500        none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/28204 sec
      CE id: 1032, Session-id: 22
      Status Description: Negotiation done
      Local spi: DDDD164DACFD1D0A       Remote spi: 4CBB41A3291542C9
      Local id: 25.25.25.25
      Remote id: 25.25.25.1
      Local req msg id:  525            Remote req msg id:  6         
      Local next msg id: 525            Remote next msg id: 6         
      Local req queued:  525            Remote req queued:  6         
      Local window:      5              Remote window:      5         
      DPD configured for 55 seconds, retry 2
      Fragmentation not  configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
      Pushed IP address: 172.16.4.2
      Remote subnets:
      172.16.4.1 255.255.255.255
      192.168.100.0 255.255.255.0
      172.31.0.0 255.255.0.0
      0.0.0.0 0.0.0.0

Router#show ip inspect sessions 
Established Sessions
 Session 11D7B558 (25.25.25.25:500)=>(25.25.25.1:500) udp SIS_OPEN

.Nov 28 00:55:06.939: %SEC-6-IPACCESSLOGP: list filter-internet denied udp 25.25.25.1(500) -> 25.25.25.25(500), 1 packet

If I manually permit the UDP 500 from 25.25.25.1 in the ACL, it would work. But why is CBAC not allowing the UDP 500 from penatrating the ACL? The same scenario works fine when the router is connected to VPN HeadEnd in the cloud and there is NAT involved (router is getting private IP through DHCP).

Marius Gunnerud · ‎11-28-2017

Try running a "debug ip inspect"perhaps it will give a bit more insight as to why it is being dropped.

Is this lab a physical or virtual environment?

--
Please remember to select a correct answer and rate helpful posts

pingduck · ‎11-28-2017

The reproduce is with real device. I have now figured out the reason. I should have realized that. While the IKEv2 tunnel is established over UDP 500. The data traffic is sent via ESP.

I wonder if there is a way to force UDP (NAT mode) on the concentrator? I'm using an IOS router as VPN Concentrator right now. There is actually another good reason to use UDP as ESP could be blocked by intermediate routers.

I saw this thread: https://supportforums.cisco.com/t5/vpn/force-udp-encapsulation-for-vpn-client-without-nat/td-p/275345

which says the option is not available. I hope that after 13 years, this option is finally available?