Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
5
Helpful
2
Replies

IKEv2 clients route filtering

mdu113
Level 1
Level 1

‎04-15-2021 11:17 AM

Hello,

Can somebody explain to me how I can make sure that only authorized subnets are routed to IKEv2 clients?

If I configure 'route accept any' - which is the only option - under authorization policy then client is allowed to send me any routes, thus nothing prevents client to install any route into headend potentially screwing up routing for my network.

This is obviously not acceptable.

Another option I tried is to set 'no route accept' in ikev2 authorization profile and send route in radius attribute like this:

"ip:route=a.b.c.d 255.255.255.0 0.0.0.0"

This doesn't work. Route isn't installed in routing table.

Another option I tried is 'route set local'. That works and correct route being installed into headend routing table, but unfortunately I can't see a way to do in radius. 'route set local'  seems to be only locally supported attribute, which will require me to configure ikev2 profile/authorization policy per client. That obviously doesn't scale.

So I'm at loss. Can somebody show me how I can enforce only authorized routes to be installed for the ikev2 clients?

Something like 'route accept <ACL>" to filter what ikev2 routes I receive from clients or per-user routes like "ip:route" radius attribute?

Thank you,

Michael

Labels:
2 Replies 2

Rob Ingram
VIP
VIP

‎04-15-2021 11:29 AM

Hi @mdu113 

For authorisation via RADIUS try cisco-avpair=“ipsec:route-set=prefix prefix/length

 

Local authorisation you could use the "route set remote ipv4....." command. Example:-

crypto ikev2 authorization policy IKEV2_AUTHZ
 route set interface
 route set remote ipv4 192.168.10.0 255.255.255.0
 route set remote ipv4 192.168.11.0 255.255.255.0

HTH 

0 Helpful

mdu113
Level 1
Level 1

‎04-15-2021 12:15 PM

Rob,

I'm not talking about routing client-to-server. "route set remote" on the server will push routes to client and those routes are installed on client device. That's fine.

I'm talking about server-to-client routes. Routes that needs to be installed on headend router for subnets behind client device. The only way to do it that I know of is to specify "route set remote" on the client. My question was about how to control which routes are being pushed from client to server. Or if there's a way to just install such routes on the server using radius attributes.

Thanks,

Michael

0 Helpful
Customers Also Viewed These Support Documents