Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
0
Replies

ZBF self zone and IPSec/L2TP dialin

sylvain.munaut
Level 1
Level 1

‎02-13-2012 08:46 AM - edited ‎03-11-2019 03:28 PM

Hi,

I have a router that has a IPSec / L2TP dial in VPN and uses zbf for firewalling, including the self zone.

The same router also has VTI gre/ipsec tunnels to other sites.

For the static VTI GRE/IPsec tunnel, I had to allow isakmp and esp to/from the routers, but I didn't have to allow GRE. It appears that since the GRE traffic is 'encapsulated' within IP sec and belongs to a SA, the GRE to/from the router is 'passed' without any more intervention. (which is fine by me, because I only want IPSec encapsulated gre traffic and _not_ 'raw' one).

Now for the L2TP VPN that's not the case. I have to allow connection from my WAN zone to self on the L2TP UDP port ... and I find it annoying because I can't differentiate between L2TP traffic that _was_ IPSec protected and L2TP traffic that wasn't IPSec protected (and so someone could start a L2TP session without setuping a IPSec protection).

So in ZBF is there a way to allow L2TP traffic only when it was encapsulated in IPSec ?

Cheers,

    Sylvain

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card