Solved

IPSEC site to site ports

Posted on 2006-11-15
23
863 Views
Last Modified: 2008-02-01
Have a site to site VPN setup in my lab. Which tcp ports need to be open for IPSEC communication?
Right now I have an ACL on each router, denying everything inbound. Just need to know what to open up

Thanks
0
Comment
Question by:dissolved
  • 13
  • 10
23 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 17948788
UDP 500 and ESP if not using AH.

access-list 101 permit udp <source> <destination> eq 500
access-list 101 permit esp <source> <destination>
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17948865
Just in case you want to use Nat-Traversal, you'll need the following to allow UDP 4500:

access-list 101 permit udp <source> <destination> eq non500-isakmp
0
 

Author Comment

by:dissolved
ID: 17949813
thanks man
0
 

Author Comment

by:dissolved
ID: 17949823
for nat transversal, it's port 4500?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17949840
Yes, correct.
0
 

Author Comment

by:dissolved
ID: 17950102
Jfrederick, I can't seem to get it to work.

Diagram:

10.10.1.1--ROUTER-192.168.3.1---------------192.168.1.1--Router--172.16.1.1
                                                                                                                         
Hosts:
10.10.1.2        on router 1
172.16.3.170  on router 2

My ACLfor router 1 is

permit udp host 172.16.3.170 host 10.10.1.2 eq isakmp
permit esp host 172.16.3.170 host 10.10.1.2


and my ACL for router 2 is:

permit udp host 10.10.1.2 host 172.16.3.170 eq isakmp
permit esp host 10.10.1.2 host 172.16.3.170
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17951617
The source and destination in the ACL should be your tunnel endpoints (not the actual hosts).

permit udp host 192.168.1.1 host 192.168.3.1 eq isakmp
permit esp host 192.168.1.1 host 192.168.3.1


and my ACL for router 2 is:

permit udp host 192.168.3.1 host 192.168.1.1 eq isakmp
permit esp host 192.168.3.1 host 192.168.1.1
0
 

Author Comment

by:dissolved
ID: 17952054
cool, thanks for the clarification
0
 

Author Comment

by:dissolved
ID: 17958709
Jfrederick,
It's still not working.
I tried pinging from one host to another. No dice. Is ping covered under the above ACL?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17958727
Yes, because it is encapsulated in ESP.

What does your crypto ACL look like?

Do you have QM_IDLE when using the command "show crypto isa sa"?  Do you have your IPSEC flows established "show crypto ipsec sa"?
0
 

Author Comment

by:dissolved
ID: 17965533
Yes I have QM_IDLE when using show crypto isa sa. I guess this means the tunnel is working?
Not sure how to verify if I have IPSEC flows established. A lot of stuff shows up when I give show crypto ipsec sa.

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 17966784
Look for inbound and outbound SAS.  If they exist, your IPSEC flows are established which is good.  You need to generate traffic to make sure they haven't idle'd out.
0
 

Author Comment

by:dissolved
ID: 17967745
nothing under inbound and outbound SAS. If I remove the access-list, stuff shows up there.

What do you think?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17967794
Okay, try this ACL setup and see if it works:

permit udp host 192.168.1.1 host 192.168.3.1 eq isakmp
permit esp any any

and my ACL for router 2 is:

permit udp host 192.168.3.1 host 192.168.1.1 eq isakmp
permit esp any any
0
 

Author Comment

by:dissolved
ID: 17968298
I tried it , still nothing.

For what its worth: I have the word "log" after both ACL lines. For :
permit udp host <host>  host <host> eq 500

it shows 42 matches

for permit esp any any
it shows no matches
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17969023
Can you post the configurations from the two routers?
0
 

Author Comment

by:dissolved
ID: 17969065
post it first thing monday morning. Thanks
0
 

Author Comment

by:dissolved
ID: 17979527
SANFRAN#sh run
Building configuration...

Current configuration : 1372 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SANFRAN
!
logging rate-limit console 10 except errors
enable secret 5 $1$ZCxe$.srPzqtUyWJUB41Trf7R71
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
crypto isakmp key vpntime address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map TOP_NY 120 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 172.16.1.1 255.255.0.0
!
interface Serial0
 description external
 ip address 192.168.1.1 255.255.255.0
 ip access-group borderportect in
 encapsulation ppp
 no fair-queue
 clockrate 2000000
 crypto map TOP_NY
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
!
ip access-list extended borderprotect
 permit udp host 192.168.3.1 host 192.168.1.1 eq isakmp log
 permit esp any any log
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.0.0 0.0.255.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxx
 login
!
end

SANFRAN#
0
 

Author Comment

by:dissolved
ID: 17979533


TOP_NY#sh run
Building configuration...

Current configuration : 1229 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TOP_NY
!
logging rate-limit console 10 except errors
enable secret 5 $1$hNPI$KWIVIBC/ku9dnMDH0IvYW0
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
crypto isakmp key vpntime address 192.168.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map SANFRAN 120 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.1.1 255.255.0.0
!
interface Serial0
 description external
 ip address 192.168.3.1 255.255.255.0
 ip access-group borderprotect in
 encapsulation ppp
 no fair-queue
 crypto map SANFRAN
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
ip access-list extended borderprotect
 permit udp host 192.168.1.1 host 192.168.3.1 eq isakmp log
 permit esp any any log
access-list 105 permit ip 10.10.0.0 0.0.255.255 172.16.0.0 0.0.255.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxx
 login
!
end

TOP_NY#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17981965
I know it works without the ACL but I would make this change anyway...

The two ends of the Serial interface are not on the same subnet.  Change one end to an address in the same subnet as the other and make the related changes to the other parts of the configuration.
0
 

Author Comment

by:dissolved
ID: 17988292
Ok I put both serial interfaces in the same network (192.168.1.1/24  and 192.168.1.2/24).
The IPSEC tunnel works. But when I apply the ACL again, everything stops working. I even tried an ACL as generic as this to no avail:

ip access-list extended borderprotect
 permit udp any any eq isakmp log
 permit esp any any log

The above should work right?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 17988333
Very strange.  Are you able to upgrade the IOS?

You can add a "deny ip any any log" to the end of the list to see if that catches anything when the list is applied.
0
 

Author Comment

by:dissolved
ID: 17992234
Cant upgrade the IOS on these routers. If the ACLs you gave me worked for you, then I trust you :)
I will try this on my 2600s when I can get them setup at home.

Appreciate the help
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now