Re: IPSEC crypto peers using non-standard ports

phil_carter · ‎11-02-2011

Hello,

I have a remote site that is using port 4500 for within the isakmp phase of creating a IPSEC tunnel, but for some reason it is also using random port numbers constantly (in bold):

BEVRLY_D_CR184_01#sh crypto isa peer

Peer: x.x.x.x Port: 4500 Local: x.x.x.x

Phase1 id: 10.2.0.92

Peer: x.x.x.x Port: 10456 Local: x.x.x.x

Phase1 id: 10.2.0.92

Peer: x.x.x.x Port: 10554 Local: x.x.x.x

Phase1 id: 10.2.0.92

Peer: x.x.x.x Port: 10557 Local: x.x.x.x

Phase1 id: 10.2.0.92

Peer: x.x.x.x Port: 10580 Local: x.x.x.x

Phase1 id: 10.2.0.92

These are all blocked by the firewall when trying to communicate with our central router in the trusted network. The central router does not display the same symptoms, it only uses port 4500.

Is there a way of preventing the remote router from using random port numbers and only allowed to use 4500??

Thanks

Phil

Arun Nair · ‎11-02-2011

Phil Hi,

Is the crypto isa peer output above taken from central router or peer router??

It looks like the central router is changing the ports, not the peer router.

phil_carter · ‎11-02-2011

The output above is from the remote router, i.e.:

BEVRLY_D_CR184_01#sh crypto isa peer

Peer: Port: 4500 Local:

Phase1 id: 10.2.0.92

Peer: Port: 10456 Local:

Phase1 id: 10.2.0.92

... etc

Arun Nair · ‎11-02-2011

Hi Phil,

I am not really sure what is causing such a behavior. But I would like you to consider my this one input and see if it helps.

There is this phase in IKE and IPSEC negotiation wherein both the routers send their IP address and port after a hash to check whether there is any existence of nat in the path they are sending the IPSEC encrypted packets through. If NAT exists, the IP address and port will get translated and hence the router at the other end receives a different hash payload. To avoid this, on detection of a nat device in the path of the packets, the routers negotiate Nat-transparency and this allows the packets to be transmitted through unchanged. I think this is not happening in your remote router, due to which the remote router is generating sessions using other ports.

I cannot confirm on this, maybe the other experts can help with this concept.

phil_carter · ‎11-02-2011

Hello,

Yes - there's NAT at the trusted central router end our side of the firewall... the config used is below:

Remote Router end:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 180

crypto isakmp key address

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 90 30 periodic

!

crypto ipsec security-association idle-time 300

!

crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac

!

crypto ipsec profile VTI

set security-association lifetime seconds 1800

set transform-set BEVERLEY_Transform

!

interface Tunnel1
description BEVRLY_CC296_01 F0/8 (10.30.45.29)
ip address x.x.x.x 255.255.255.252
ip helper-address 10.91.6.30
ip helper-address 10.4.162.92
ip mtu 1400
ip ospf message-digest-key 1 md5

load-interval 30
tunnel source Dialer1
tunnel destination

tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!

Central Router:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 180
crypto isakmp key address

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 90 30 periodic
!
crypto ipsec security-association idle-time 300
!
crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
set security-association lifetime seconds 1800
set transform-set BEVERLEY_Transform
!

!

interface Tunnel1
description link to Beverley via internet (BEVERLY_CR184_01 Tun1)
ip address x.x.x.x 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5

load-interval 30
tunnel source FastEthernet0/1
tunnel destination

tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!

I believe the DPD keepalives ensure NAT is known and compatible (crypto isakmp keepalive 90 30 periodic) between the peers....

Any help gladly appreciated....

thanks

Phil

Arun Nair · ‎11-02-2011

Phil,

One question. How exactly did you set the ISAKMP port to 4500? I do not find any UDP encapsulation specific commands in your configuration.

phil_carter · ‎11-02-2011

I haven't set any UDP ports, it uses the default 4500 and then random ones self-generated... Can I force it to only use one port??

Arun Nair · ‎11-02-2011

Phil,

In case of a Cisco router IOS, setting a port for ISAKMP is not possible. ISAKMP with NAT-T(in your case it it turned on) uses UDP port 4500. This port cannot be changed.Also, having said this, ISAKMP negotiation, unlike your case, should not take place on any other port.

Need some debug outputs like debug crypto isakmp and ipsec.

Could you please clear the peering before posting the debugs?

This is a very interesting case.

Experts, please help.

Arun Nair · ‎11-02-2011

You can just go through this for a gist:

https://supportforums.cisco.com/docs/DOC-16591

As you said that the central router is doing a NAT, it is changing the UDP encapsulations' src port as the packets come out of the outside interface to the remote router.(behavior of NAT-t).

Excuse me as I got confused as I thought the port 4500 and 10000 somethings listed in the output above were src ports of remote router.

The only way I believe you can pass the traffic is to either open up the ports in your firewall or to overcome the NAT in some way.

HTH

Cheers

Arun

Arun Nair · ‎11-02-2011

Please do post the output of show crypto isakmp peer in the central router.