Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RKinsp
Contributor

Is it possible to deny an IPSEC Phase 2?

Hey guys,

We are having a site-to-site VPN issue. The remote end (Cisco Router) uses the same phase 2 selectors for multiple peers. On our side, the security gateway is accepting all Phase 2 selectors, regardless of what is configured in encryption domain.

Is it possible to have the security gateway reject phase 2 selectors that are not configured?

We are running R81 take 17.

Thanks in advance,

RK

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

What precisely has been configured versus what has been proposed?

0 Kudos
RKinsp
Contributor

Hi PhoneBoy,

The peer is a Cisco router and it is using a single configuration for two of our gateways, and it has two networks configured for their phase two remote (10.164.128.0  and 10.164.0.0). Their local network is 172.16.0.0.

We have two gateways, one is configured for local 10.164.128.0 and the other for 10.164.0.0. We are using separate VPN Communities. The issue is that both our gateways accept both incoming phase 2, although it is not specified in it's security domain.

I am worried this will affect the remote end's routing and wanted to deny the non-specified phase 2.

0 Kudos
Vladimir
Champion
Champion

Maybe I am missing something, but in each community you are configuring member gateways, one of yours and one of theirs (where theirs is the same in both communities).

If you are on R80.40, you should be able to define VPN domain per VPN community on your side (in gateway's networking properties).

You then should be sending only relevant network to the peer for each connection.

0 Kudos
RKinsp
Contributor

Hi Vladimir,

That is correct for outgoing connections. The security gateway only sends the domains we have. The issue is from what I have seem, incoming phase 2 is always accepted regardless of network, although encryption has to match.

This would not be a problem if the other side was using separate definitions on their router.

0 Kudos
Vladimir
Champion
Champion

Have you try defining two Interoperable devices with the same IP for your peer and specifying a single network in the topology of each?

0 Kudos
PhoneBoy
Admin
Admin

I don’t think you can actually do that and have it work.
I think a TAC case may be in order here.

0 Kudos
the_rock
Mentor
Mentor

Personally, I never heard of any vendor be able to do so.

0 Kudos