topic Re: Is it possible to deny an IPSEC Phase 2? in Firewall and Security Management

Is it possible to deny an IPSEC Phase 2?

RKinsp — Fri, 18 Jun 2021 17:40:14 GMT

Hey guys,

We are having a site-to-site VPN issue. The remote end (Cisco Router) uses the same phase 2 selectors for multiple peers. On our side, the security gateway is accepting all Phase 2 selectors, regardless of what is configured in encryption domain.

Is it possible to have the security gateway reject phase 2 selectors that are not configured?

We are running R81 take 17.

Thanks in advance,

Re: Is it possible to deny an IPSEC Phase 2?

PhoneBoy — Fri, 18 Jun 2021 20:11:06 GMT

What precisely has been configured versus what has been proposed?

Re: Is it possible to deny an IPSEC Phase 2?

RKinsp — Fri, 18 Jun 2021 20:33:53 GMT

Hi PhoneBoy,

The peer is a Cisco router and it is using a single configuration for two of our gateways, and it has two networks configured for their phase two remote (10.164.128.0 and 10.164.0.0). Their local network is 172.16.0.0.

We have two gateways, one is configured for local 10.164.128.0 and the other for 10.164.0.0. We are using separate VPN Communities. The issue is that both our gateways accept both incoming phase 2, although it is not specified in it's security domain.

I am worried this will affect the remote end's routing and wanted to deny the non-specified phase 2.

Re: Is it possible to deny an IPSEC Phase 2?

Vladimir — Sat, 19 Jun 2021 03:44:03 GMT

Maybe I am missing something, but in each community you are configuring member gateways, one of yours and one of theirs (where theirs is the same in both communities).

If you are on R80.40, you should be able to define VPN domain per VPN community on your side (in gateway's networking properties).

You then should be sending only relevant network to the peer for each connection.

Re: Is it possible to deny an IPSEC Phase 2?

RKinsp — Sat, 19 Jun 2021 11:39:53 GMT

Hi Vladimir,

That is correct for outgoing connections. The security gateway only sends the domains we have. The issue is from what I have seem, incoming phase 2 is always accepted regardless of network, although encryption has to match.

This would not be a problem if the other side was using separate definitions on their router.

Re: Is it possible to deny an IPSEC Phase 2?

Vladimir — Sat, 19 Jun 2021 14:10:00 GMT

Have you try defining two Interoperable devices with the same IP for your peer and specifying a single network in the topology of each?

Re: Is it possible to deny an IPSEC Phase 2?

PhoneBoy — Sat, 19 Jun 2021 15:40:11 GMT

I don’t think you can actually do that and have it work.
I think a TAC case may be in order here.

Re: Is it possible to deny an IPSEC Phase 2?

the_rock — Sun, 20 Jun 2021 18:51:58 GMT

Personally, I never heard of any vendor be able to do so.