06-23-2015 01:34 AM - edited 03-05-2019 01:43 AM
Hi folks,
I am trying to gain a better understanding of how tunnel set up and tear down occurs when using Virtual Tunnel Interfaces (static or dynamic).
Currently our firewalls and ACLs are configured to accept ESP and ISAKMP/4500 packets from anywhere so that tunnel set up can occur. But this seems too wide ranging and I would like to look at narrowing the hole.
I cant find any detailed info on the initial mechanics of tunnel set up and tear-down/reconnect to try and create more granular rules or policies.
Can anyone help?
Specifically, Im looking for what packet types are used. Packet captures so far have been like trying to find a raindrop in a cloud.
Any advice is much appreciated.
Paul
06-23-2015 01:47 AM
hi,
i always ask the remote VPN side to open these ports:
UDP 500, UDP 4500, GRE 47 and ESP 50
below is a great site that i always refer:
http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html
06-23-2015 03:11 AM
Thanks. I have those articles and I understand the tunnelling process. It was the connection set up that I was particularly looking for but I think perhaps what Im missing is that the set up uses the same protocols and no additional packet types are seen.
Thanks anyway.
06-23-2015 05:15 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
From your follow-on post, it appears you have all the packets types, but if you're looking for more granular rules, for allowing tunnel setup, you might pursue allowing only those packets from known or approved source IPs.
The only other thing that comes to mind, is trying to implement a rule that blocks some tunnel type packets if some other type tunnels packets haven't been seen in a while (possible useful if you use some kind of keepalive across the tunnel).
06-23-2015 05:27 AM
Thanks Joseph. Ive locked down what I can to IP but user VPNs obviously prohibit knowing those. Im aware of being too open but I am also trying not to be too narrow with the ZBF rules so I don't prohibit tunnels being created anew at a future date (ie something Ive not thought of happening).
What Ive done for now is to create a 'pass and log' entry in the policy map.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide