Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1489
Views
5
Helpful
7
Replies

Secure interface using IPSEC

louis0001
Level 3
Level 3

‎10-23-2019 06:25 PM - edited ‎02-21-2020 09:47 PM

Hi,

we have 2 routers connected to each other via an IPSec tunnel. Both routers are on private networks so there is no natting going on.

The IPSec tunnel is fine and traffic is flowing between the local networks (crypto map/access lists are fine) via the tunnel.

I know I need to secure the outside interface but unsure what sort of ACL is needed so that only IPSec traffic is allowed both in and out and no other traffic enters/leaves the router unless it is via the IPSec tunnel.

 

Labels:
0 Helpful
7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

‎10-23-2019 07:21 PM

Hi

The outside interface is also using private subnets?
On your acl inbound, default IPsec needs to be allowed (ah, esp, udp-500/4500 if nat).
When it comes to secure a router, i always user zbf instead of simple asked acls (zbf requires security features and it's binded with a specific license or specific ios image depending on the router you're using). Here a link that can help for zbf:
https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/112051-zbf-vpn-access-config.html

You're going to see also the acl for inbound.

For outbound, you don't usually limit the traffic to only ipsec, except if you only have this traffic going through.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

louis0001
Level 3
Level 3
In response to Francesco Molino

‎10-27-2019 11:48 AM

Yes, the routers are on private subnets as they are internal routers. This particular one requires IPSec between the endoints to secure the traffic so basically all traffic from the lan needs to go through the vpn with nothing going through the outside interface.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to louis0001

‎10-27-2019 07:57 PM

Did you try the acl on the outside interface as mentioned and/or the zbf feature?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

louis0001
Level 3
Level 3
In response to Francesco Molino

‎10-27-2019 11:49 PM

Hi,

yes I applied an ACL for IPSec on the outside interface in the IN direction and it appears to be working. All other lan traffic is listed as interesting traffic for the vpn.

Is this enough to prevent any traffic leaving the router unencrypted?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to louis0001

‎10-30-2019 05:46 PM

This is for incoming traffic only. You need to have another acl for outgoing traffic limiting ipsec ports (like the one on the inbound) but this time port are source ports and not destination

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

aa321123
Level 1
Level 1
In response to Francesco Molino

‎11-14-2019 06:53 PM - edited ‎12-08-2022 06:05 AM

When configuring the Client SSH authentication using RAS , pasted at the box indicated for SG350 , caught error , "Key header expected " where from the show CLI , none such inform listed ?

YES, FROM <...> HEADER INCLUDED LATER, IT CONFIGURED THROUGH.

 

 

 

 

0 Helpful

aa321123
Level 1
Level 1

‎12-08-2022 06:03 AM

Would SSL L2TP, such vpn setting  block,   LAG group lan.port.Router(s)'  connection ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents