Can somebody explain to me how I can make sure that only authorized subnets are routed to IKEv2 clients?
If I configure 'route accept any' - which is the only option - under authorization policy then client is allowed to send me any routes, thus nothing prevents client to install any route into headend potentially screwing up routing for my network.
This is obviously not acceptable.
Another option I tried is to set 'no route accept' in ikev2 authorization profile and send route in radius attribute like this:
"ip:route=a.b.c.d 255.255.255.0 0.0.0.0"
This doesn't work. Route isn't installed in routing table.
Another option I tried is 'route set local'. That works and correct route being installed into headend routing table, but unfortunately I can't see a way to do in radius. 'route set local' seems to be only locally supported attribute, which will require me to configure ikev2 profile/authorization policy per client. That obviously doesn't scale.
So I'm at loss. Can somebody show me how I can enforce only authorized routes to be installed for the ikev2 clients?
Something like 'route accept <ACL>" to filter what ikev2 routes I receive from clients or per-user routes like "ip:route" radius attribute?
I'm not talking about routing client-to-server. "route set remote" on the server will push routes to client and those routes are installed on client device. That's fine.
I'm talking about server-to-client routes. Routes that needs to be installed on headend router for subnets behind client device. The only way to do it that I know of is to specify "route set remote" on the client. My question was about how to control which routes are being pushed from client to server. Or if there's a way to just install such routes on the server using radius attributes.
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success.