Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
1
Replies

RV320 VPN - traffic being blocked on eth1 (internet interface)

aforster.home
Level 1
Level 1

‎07-14-2015 07:26 AM

Hello,

 

I've been struggling to setup my RV320 with Easy VPN, and would appreciate some help. The authentication seems to be OK, as the tunnel is being created correctly, per the logs below. 

 

the problem is with traffic being blocked, what makes me question how is the security on these tunnels. A few logs:

Easy VPN range is configured with 172.16.1.100, so, the 172.16.1.100/32 below is the VPN address of the client.

 

cellphone_IP is the IP of my iphone;

WAN_IP is the IP of the WAN interface (public);

RV320LAN_IP is the IP address of the LAN interface (internal) of the RV320.

 

2015-07-14, 11:08:20VPN Log[grpips0][7] 0.0.0.0/0=== ...cellphone_IP===? #11: [Tunnel Established] received XAUTH ack, established 
2015-07-14, 11:08:22VPN Log[grpips0][7] 0.0.0.0/0=== ...cellphone_IP===172.16.1.100/32 #11: [Tunnel Established] sent ModeCfg reply, established 
2015-07-14, 11:08:24VPN Log[grpips0]: cmd=up-client peer=cellphone_IP peer_client=172.16.1.100/32 peer_client_net=172.16.1.100 peer_client_mask=255.255.255.255 
2015-07-14, 11:08:24VPN Logip route add 172.16.1.100/32 via WAN_IP dev eth1 metric 35 
2015-07-14, 11:08:24VPN Logiptables -t nat -I vpn -d 172.16.1.100/32 -j ACCEPT 
2015-07-14, 11:08:24VPN Logiptables -t nat -I vpn -s 172.16.1.100/32 -j ACCEPT 
2015-07-14, 11:08:24VPN Logiptables -t nat -I vpn_postrouting -d 172.16.1.100/32 -j ACCEPT 
2015-07-14, 11:08:24VPN Logiptables -t nat -I vpn_postrouting -o eth0 -s 172.16.1.100/32 -j ACCEPT 
2015-07-14, 11:08:24VPN Log[grpips0][7] 0.0.0.0/0=== ...cellphone_IP===172.16.1.100/32 #12: [Tunnel Established] IPsec SA established {ESP=>0x02a60019 < 0xc50aa556} 
2015-07-14, 11:08:24ALLOWUDP 172.16.1.100:56416 -> RV320LAN_IP:53 on eth1
2015-07-14, 11:08:25BLOCKICMP 172.16.1.100:67 -> RV320LAN_IP:68 on eth1
   

 

Note: the udp/53 traffic at 11:08:24 is being permitted because I created a temporary rule to allow DNS queries from the internet (eth1) to reach the LAN IP of the router (just for testing - obviously, that should not be there, but surprisingly it made it work).

 

Why is the VPN traffic being blocked as it were coming from the internet? Shouldn't it come through grpips0? If it comes from the internet, how can I prevent from anyone using the VPN range to attempt to access my environment?

Should I create any kind of filter in the firewall to allow that traffic?

 

One suggestion to the dev team: include other interfaces_names in the firewall configuration when creating rules, such as the VLANs and tunnel interfaces.

 

Any comment is appreciated.

 

 

Labels:
0 Helpful
1 Reply 1

aforster.home
Level 1
Level 1

‎08-01-2015 06:51 PM

Cisco did not reply (as usual).. I made more testing and found out why this strange behavior. Check it out:

 

https://supportforums.cisco.com/discussion/12572006/big-security-issue-rv320s-vpn-implementation

 

 

0 Helpful
Customers Also Viewed These Support Documents