Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
4
Replies

VTI Tunnel set up mechanics

Paul Morgan
Level 1
Level 1

‎06-23-2015 01:34 AM - edited ‎03-05-2019 01:43 AM

Hi folks,

 

I am trying to gain a better understanding of how tunnel set up and tear down occurs when using Virtual Tunnel Interfaces (static or dynamic).

Currently our firewalls and ACLs are configured to accept ESP and ISAKMP/4500 packets from anywhere so that tunnel set up can occur. But this seems too wide ranging and I would like to look at narrowing the hole.

I cant find any detailed info on the initial mechanics of tunnel set up and tear-down/reconnect to try and create more granular rules or policies.

Can anyone help?

Specifically, Im looking for what packet types are used. Packet captures so far have been like trying to find a raindrop in a cloud.

Any advice is much appreciated.

 

Paul

Labels:
0 Helpful
4 Replies 4

johnlloyd_13
Level 9
Level 9

‎06-23-2015 01:47 AM

hi,

i always ask the remote VPN side to open these ports:

UDP 500, UDP 4500, GRE 47 and ESP 50

 

below is a great site that i always refer:

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html

 

0 Helpful

Paul Morgan
Level 1
Level 1
In response to johnlloyd_13

‎06-23-2015 03:11 AM

Thanks. I have those articles and I understand the tunnelling process. It was the connection set up that I was particularly looking for but I think perhaps what Im missing is that the set up uses the same protocols and no additional packet types are seen.

Thanks anyway.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-23-2015 05:15 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

From your follow-on post, it appears you have all the packets types, but if you're looking for more granular rules, for allowing tunnel setup, you might pursue allowing only those packets from known or approved source IPs.

The only other thing that comes to mind, is trying to implement a rule that blocks some tunnel type packets if some other type tunnels packets haven't been seen in a while (possible useful if you use some kind of keepalive across the tunnel).

0 Helpful

Paul Morgan
Level 1
Level 1
In response to Joseph W. Doherty

‎06-23-2015 05:27 AM

Thanks Joseph. Ive locked down what I can to IP but user VPNs obviously prohibit knowing those. Im aware of being too open but I am also trying not to be too narrow with the ZBF rules so I don't prohibit tunnels being created anew at a future date (ie something Ive not thought of happening).

What Ive done for now is to create a 'pass and log' entry in the policy map.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card