Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 900
  • Last Modified:

IPSEC site to site ports

Have a site to site VPN setup in my lab. Which tcp ports need to be open for IPSEC communication?
Right now I have an ACL on each router, denying everything inbound. Just need to know what to open up

Thanks
0
dissolved
Asked:
dissolved
  • 13
  • 10
1 Solution
 
JFrederick29Commented:
UDP 500 and ESP if not using AH.

access-list 101 permit udp <source> <destination> eq 500
access-list 101 permit esp <source> <destination>
0
 
JFrederick29Commented:
Just in case you want to use Nat-Traversal, you'll need the following to allow UDP 4500:

access-list 101 permit udp <source> <destination> eq non500-isakmp
0
 
dissolvedAuthor Commented:
thanks man
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
dissolvedAuthor Commented:
for nat transversal, it's port 4500?
0
 
JFrederick29Commented:
Yes, correct.
0
 
dissolvedAuthor Commented:
Jfrederick, I can't seem to get it to work.

Diagram:

10.10.1.1--ROUTER-192.168.3.1---------------192.168.1.1--Router--172.16.1.1
                                                                                                                         
Hosts:
10.10.1.2        on router 1
172.16.3.170  on router 2

My ACLfor router 1 is

permit udp host 172.16.3.170 host 10.10.1.2 eq isakmp
permit esp host 172.16.3.170 host 10.10.1.2


and my ACL for router 2 is:

permit udp host 10.10.1.2 host 172.16.3.170 eq isakmp
permit esp host 10.10.1.2 host 172.16.3.170
0
 
JFrederick29Commented:
The source and destination in the ACL should be your tunnel endpoints (not the actual hosts).

permit udp host 192.168.1.1 host 192.168.3.1 eq isakmp
permit esp host 192.168.1.1 host 192.168.3.1


and my ACL for router 2 is:

permit udp host 192.168.3.1 host 192.168.1.1 eq isakmp
permit esp host 192.168.3.1 host 192.168.1.1
0
 
dissolvedAuthor Commented:
cool, thanks for the clarification
0
 
dissolvedAuthor Commented:
Jfrederick,
It's still not working.
I tried pinging from one host to another. No dice. Is ping covered under the above ACL?
0
 
JFrederick29Commented:
Yes, because it is encapsulated in ESP.

What does your crypto ACL look like?

Do you have QM_IDLE when using the command "show crypto isa sa"?  Do you have your IPSEC flows established "show crypto ipsec sa"?
0
 
dissolvedAuthor Commented:
Yes I have QM_IDLE when using show crypto isa sa. I guess this means the tunnel is working?
Not sure how to verify if I have IPSEC flows established. A lot of stuff shows up when I give show crypto ipsec sa.

0
 
JFrederick29Commented:
Look for inbound and outbound SAS.  If they exist, your IPSEC flows are established which is good.  You need to generate traffic to make sure they haven't idle'd out.
0
 
dissolvedAuthor Commented:
nothing under inbound and outbound SAS. If I remove the access-list, stuff shows up there.

What do you think?
0
 
JFrederick29Commented:
Okay, try this ACL setup and see if it works:

permit udp host 192.168.1.1 host 192.168.3.1 eq isakmp
permit esp any any

and my ACL for router 2 is:

permit udp host 192.168.3.1 host 192.168.1.1 eq isakmp
permit esp any any
0
 
dissolvedAuthor Commented:
I tried it , still nothing.

For what its worth: I have the word "log" after both ACL lines. For :
permit udp host <host>  host <host> eq 500

it shows 42 matches

for permit esp any any
it shows no matches
0
 
JFrederick29Commented:
Can you post the configurations from the two routers?
0
 
dissolvedAuthor Commented:
post it first thing monday morning. Thanks
0
 
dissolvedAuthor Commented:
SANFRAN#sh run
Building configuration...

Current configuration : 1372 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SANFRAN
!
logging rate-limit console 10 except errors
enable secret 5 $1$ZCxe$.srPzqtUyWJUB41Trf7R71
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
crypto isakmp key vpntime address 192.168.3.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map TOP_NY 120 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 172.16.1.1 255.255.0.0
!
interface Serial0
 description external
 ip address 192.168.1.1 255.255.255.0
 ip access-group borderportect in
 encapsulation ppp
 no fair-queue
 clockrate 2000000
 crypto map TOP_NY
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
ip http server
!
!
ip access-list extended borderprotect
 permit udp host 192.168.3.1 host 192.168.1.1 eq isakmp log
 permit esp any any log
access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.0.0 0.0.255.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxx
 login
!
end

SANFRAN#
0
 
dissolvedAuthor Commented:


TOP_NY#sh run
Building configuration...

Current configuration : 1229 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TOP_NY
!
logging rate-limit console 10 except errors
enable secret 5 $1$hNPI$KWIVIBC/ku9dnMDH0IvYW0
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 100
 authentication pre-share
 group 2
crypto isakmp key vpntime address 192.168.1.1
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set 20 esp-des esp-sha-hmac
!
crypto map SANFRAN 120 ipsec-isakmp
 set peer 192.168.1.1
 set transform-set 20
 set pfs group2
 match address 105
!
!
!
!
interface Ethernet0
 description internal
 ip address 10.10.1.1 255.255.0.0
!
interface Serial0
 description external
 ip address 192.168.3.1 255.255.255.0
 ip access-group borderprotect in
 encapsulation ppp
 no fair-queue
 crypto map SANFRAN
!
interface Serial1
 no ip address
 shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
ip access-list extended borderprotect
 permit udp host 192.168.1.1 host 192.168.3.1 eq isakmp log
 permit esp any any log
access-list 105 permit ip 10.10.0.0 0.0.255.255 172.16.0.0 0.0.255.255
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password xxx
 login
!
end

TOP_NY#
0
 
JFrederick29Commented:
I know it works without the ACL but I would make this change anyway...

The two ends of the Serial interface are not on the same subnet.  Change one end to an address in the same subnet as the other and make the related changes to the other parts of the configuration.
0
 
dissolvedAuthor Commented:
Ok I put both serial interfaces in the same network (192.168.1.1/24  and 192.168.1.2/24).
The IPSEC tunnel works. But when I apply the ACL again, everything stops working. I even tried an ACL as generic as this to no avail:

ip access-list extended borderprotect
 permit udp any any eq isakmp log
 permit esp any any log

The above should work right?
0
 
JFrederick29Commented:
Very strange.  Are you able to upgrade the IOS?

You can add a "deny ip any any log" to the end of the list to see if that catches anything when the list is applied.
0
 
dissolvedAuthor Commented:
Cant upgrade the IOS on these routers. If the ACLs you gave me worked for you, then I trust you :)
I will try this on my 2600s when I can get them setup at home.

Appreciate the help
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now