HPE Community
WAN Routing
1753337 Members
4973 Online
108792 Solutions
New Discussion

Setting up firewall on an interface used for ipSec tunnel between MSR routers

 
DamirD
Occasional Contributor

‎02-10-2014 01:51 AM

‎02-10-2014 01:51 AM

Setting up firewall on an interface used for ipSec tunnel between MSR routers

Hello,

 

I set up a ipSec tunnel between a MSR 900 and MSR 30-50 like this:

----

 192.168.0.0/23, 172.16.0.0/12

    |

+---+-----+

| MSR 900 |

+---+-----+

    |

   Eth0/0 (DHCP / NAT) -> (ipSec)

    |

    |

 Internet

    |

    |

   Ge0/0 (Static IP) -> (ipSec)

    |

+---+-------+

| MSR 50-30 |

+-----------+

    |

 192.168.180.0/22

----

 

I set up an ipSec VPN (tunnel mode / agressive) between the sites and set the acl to ad a rroute on both sites. 

 

A problem arose when I set up a aspf firewall on both sites - here is an example from the MSR 50-30:

----

aspf-policy 1

 detect FTP 

 detect TCP 

 detect UDP 

 

acl number 3002 name from_internet

 rule 56 remark -- Local private network --

 rule 56 permit ip source 192.168.0.0 0.0.255.255

 rule 1000 deny ip

 

interface GigabitEthernet0/0

 port link-mode route

 firewall packet-filter 3002 inbound

 firewall aspf 1 outbound

 ...

----

^^^

I had to add the rule 56 in the firewall ACL or the ipSec tunnel doesn't get set up. However, if I got it correctly, this means I permit the private IP addresses from the ISP.

 

Is there a way to filter only the encrypted traffic? I saw the vpn-instance can be used with MPLS, but I didn't find any info if it is possible to use it with ipSec too.

 

So, how to set up an ipSec tunnel between two sites when running a firewall for limiting internet traffic on both sites and possibly applying some limits to the VPN traffic as well?

 

Thanks,

 Damir

 

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.