Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
0
Replies

GETVPN Packet encryption issue

dakahn
Level 1
Level 1

‎02-25-2015 11:48 AM - edited ‎02-21-2020 08:06 PM

We currently use GETVPN for connectivity to some of our high sec sites and use a ACL to set the "interesting" traffic we want to be encryted. I ran across a interesting log that I am seeing.

 

Feb 25 13:36:49.961 CST: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:082 TS:00042663892591352963 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 10.10.254.15, src_addr= 10.92.255.254, prot= 17 

 

The source address is the router itself trying to send a UDP packet to our Solarwinds (orion) server. What I don't understand is that in the ACL, it covers this type of traffic but because the is originating from the router, I am thinking that it is possible its bypassing the ACL. below is the ACL we have applied on both sides. Would this be just a another simple additon to the ACl to add the router loopback to acl?

 

Basically this acl does NOT encrypt and encrypts everything else...

 

  ACL Downloaded From KS 10.16.98.107:
   access-list   deny icmp 10.220.24.36 0.0.0.3 63.218.44.132 0.0.0.3
   access-list   deny icmp 10.220.24.40 0.0.0.3 63.218.44.132 0.0.0.3
   access-list   deny icmp 10.220.24.36 0.0.0.3 10.220.24.36 0.0.0.3
   access-list   deny icmp 10.220.24.40 0.0.0.3 10.220.24.36 0.0.0.3
   access-list   deny icmp 10.220.114.136 0.0.0.3 10.220.114.136 0.0.0.3
   access-list   deny icmp 10.224.144.80 0.0.0.3 10.224.144.80 0.0.0.3
   access-list   deny esp any any
   access-list   deny udp any any port = 3785
   access-list   deny udp any port = 3785 any
   access-list   deny udp any any port = 3784
   access-list   deny udp any port = 3784 any
   access-list   deny udp any port = 500 any port = 500
   access-list   deny udp any port = 848 any port = 848
   access-list   deny tcp any any port = 22
   access-list   deny tcp any port = 22 any
   access-list   deny tcp any any port = 49
   access-list   deny tcp any port = 49 any
   access-list   deny tcp any any port = 179
   access-list   deny tcp any port = 179 any
   access-list   deny tcp any any port = 3784
   access-list   deny tcp any port = 3784 any
   access-list   deny tcp any any port = 3785
   access-list   deny tcp any port = 3785 any
   access-list   permit ip any any

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents