07-14-2015 07:26 AM
Hello,
I've been struggling to setup my RV320 with Easy VPN, and would appreciate some help. The authentication seems to be OK, as the tunnel is being created correctly, per the logs below.
the problem is with traffic being blocked, what makes me question how is the security on these tunnels. A few logs:
Easy VPN range is configured with 172.16.1.100, so, the 172.16.1.100/32 below is the VPN address of the client.
cellphone_IP is the IP of my iphone;
WAN_IP is the IP of the WAN interface (public);
RV320LAN_IP is the IP address of the LAN interface (internal) of the RV320.
2015-07-14, 11:08:20 | VPN Log | [grpips0][7] 0.0.0.0/0=== ...cellphone_IP===? #11: [Tunnel Established] received XAUTH ack, established |
2015-07-14, 11:08:22 | VPN Log | [grpips0][7] 0.0.0.0/0=== ...cellphone_IP===172.16.1.100/32 #11: [Tunnel Established] sent ModeCfg reply, established |
2015-07-14, 11:08:24 | VPN Log | [grpips0]: cmd=up-client peer=cellphone_IP peer_client=172.16.1.100/32 peer_client_net=172.16.1.100 peer_client_mask=255.255.255.255 |
2015-07-14, 11:08:24 | VPN Log | ip route add 172.16.1.100/32 via WAN_IP dev eth1 metric 35 |
2015-07-14, 11:08:24 | VPN Log | iptables -t nat -I vpn -d 172.16.1.100/32 -j ACCEPT |
2015-07-14, 11:08:24 | VPN Log | iptables -t nat -I vpn -s 172.16.1.100/32 -j ACCEPT |
2015-07-14, 11:08:24 | VPN Log | iptables -t nat -I vpn_postrouting -d 172.16.1.100/32 -j ACCEPT |
2015-07-14, 11:08:24 | VPN Log | iptables -t nat -I vpn_postrouting -o eth0 -s 172.16.1.100/32 -j ACCEPT |
2015-07-14, 11:08:24 | VPN Log | [grpips0][7] 0.0.0.0/0=== ...cellphone_IP===172.16.1.100/32 #12: [Tunnel Established] IPsec SA established {ESP=>0x02a60019 < 0xc50aa556} |
2015-07-14, 11:08:24 | ALLOW | UDP 172.16.1.100:56416 -> RV320LAN_IP:53 on eth1 |
2015-07-14, 11:08:25 | BLOCK | ICMP 172.16.1.100:67 -> RV320LAN_IP:68 on eth1 |
Note: the udp/53 traffic at 11:08:24 is being permitted because I created a temporary rule to allow DNS queries from the internet (eth1) to reach the LAN IP of the router (just for testing - obviously, that should not be there, but surprisingly it made it work).
Why is the VPN traffic being blocked as it were coming from the internet? Shouldn't it come through grpips0? If it comes from the internet, how can I prevent from anyone using the VPN range to attempt to access my environment?
Should I create any kind of filter in the firewall to allow that traffic?
One suggestion to the dev team: include other interfaces_names in the firewall configuration when creating rules, such as the VLANs and tunnel interfaces.
Any comment is appreciated.
08-01-2015 06:51 PM
Cisco did not reply (as usual).. I made more testing and found out why this strange behavior. Check it out:
https://supportforums.cisco.com/discussion/12572006/big-security-issue-rv320s-vpn-implementation
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide