IPS Blocking VPN*

m.vanwijngaarden · ‎01-26-2011

Hello readers!

We have a Cisco 2821 with the IPS NME module in it wich is causing problems for our VPN..

We have two gateways: x.x.6.1 (the router) and x.x.6.21 (software gateway)

When we establish a VPN connection over x.x.6.21 everything goes fine.

But when we establish a VPN connection over x.x.6.1, you guessed it, it goes wrong; a connection isnt made.

After some trying out and being on the phone with Cisco Tech Support, we discovered it was the IPS getting in the .. while the IPS wasnt logging anything about stopping the packets related to the VPN connection and the IPS isnt blocking any of the IP addresses for the VPN connection.. I've also monitored it with Wireshark, when on the x.x.6.1 you see the packets with the destination address, but nothing else.

I've been looking around but didnt find a way to solve. I hope you guys can help me out here.

Thanks in advance,

Marco

*Moved this thread to Intrusion Prevention System/IDS because there is where it should be in the first place.

Federico Coto Fajardo · ‎01-26-2011

Marco,

All VPN traffic is going through the IPS NME on the 2811?

Can you make changes to the IPS? I mean... can you shut it down for a quick test to see if the VPN traffic continue affected?

Federico.

m.vanwijngaarden · ‎01-27-2011

Frederico,

Totally forgot to mention that when I posted this. I've turned the IPS off to see if the VPN works and it did. So that also confirms that all the traffic is going through the IPS.

Marco

m.vanwijngaarden · ‎01-28-2011

Update:

I've tried 2 new things:

- Turned on all signatures and try to establish a VPN connection, no events logged that blocks the VPN

- Turned off all signatures and try to establish a VPN connection, didnt work either

So there isnt a signature (I think) blocking the VPN connection.

BUT, when the sensor is turned off completely, creating a VPN connection works.

Maykol Rojas · ‎01-29-2011

Hi,

I am not quite familiar with the module on the router, Does it have a GUI? Can you turn on the IPS policies and try to connect again and send us the events related to the IP`s of the peers?

The IPS cannot inspect or check VPN packets, as they come encrypted. Only in VPN termination devices, when it is decrypted and then passed on to the inside network. But that would be it.

Please get the events, I will help you out on this one.

Cheers

Mike

m.vanwijngaarden · ‎01-30-2011

Thank you for your reply, Mike.

I didnt give the full name of the module, its the NME-IPS-K9.

I also did as you asked; turn on all policies and pass through the information I'll see. When I turned on all policies and tried to make a vpn connection the following signatures fired: 1107, 1306/1 and 1306/5. BUT, these are disabled by default. So when using the normal settings, these signatures wouldnt be active.

Oh, and I use the Cisco IPS Manager Express as the GUI.

Thanks,

Marco

Christopher Dreier · ‎01-31-2011

Hello Marco,

I'd like to take a deeper look at this via a TAC case. Would you mind opening one and having it sent to the IDS team? Please forward me the SR number when you receive it so that I can pull it up.

Thank you,

Blayne Dreier

blayne@cisco.com

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&tags=tac_ips_media_series