cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
774
Views
5
Helpful
2
Replies

IKEv2 clients route filtering

mdu113
Level 1
Level 1

Hello,

Can somebody explain to me how I can make sure that only authorized subnets are routed to IKEv2 clients?

If I configure 'route accept any' - which is the only option - under authorization policy then client is allowed to send me any routes, thus nothing prevents client to install any route into headend potentially screwing up routing for my network.

This is obviously not acceptable.

Another option I tried is to set 'no route accept' in ikev2 authorization profile and send route in radius attribute like this:

"ip:route=a.b.c.d 255.255.255.0 0.0.0.0"

This doesn't work. Route isn't installed in routing table.

Another option I tried is 'route set local'. That works and correct route being installed into headend routing table, but unfortunately I can't see a way to do in radius. 'route set local'  seems to be only locally supported attribute, which will require me to configure ikev2 profile/authorization policy per client. That obviously doesn't scale.

So I'm at loss. Can somebody show me how I can enforce only authorized routes to be installed for the ikev2 clients?

Something like 'route accept <ACL>" to filter what ikev2 routes I receive from clients or per-user routes like "ip:route" radius attribute?

Thank you,

Michael

2 Replies 2

Hi @mdu113 

For authorisation via RADIUS try cisco-avpair=“ipsec:route-set=prefix prefix/length

 

Local authorisation you could use the "route set remote ipv4....." command. Example:-

crypto ikev2 authorization policy IKEV2_AUTHZ
route set interface
route set remote ipv4 192.168.10.0 255.255.255.0
route set remote ipv4 192.168.11.0 255.255.255.0

HTH 

mdu113
Level 1
Level 1

Rob,

I'm not talking about routing client-to-server. "route set remote" on the server will push routes to client and those routes are installed on client device. That's fine.

I'm talking about server-to-client routes. Routes that needs to be installed on headend router for subnets behind client device. The only way to do it that I know of is to specify "route set remote" on the client. My question was about how to control which routes are being pushed from client to server. Or if there's a way to just install such routes on the server using radius attributes.

Thanks,

Michael