Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
6
Replies

Restrict Isakmp only one interface (cisco IOS)

Pablo Andres Zamorano Navarro
Level 1
Level 1

‎11-03-2017 01:44 AM - edited ‎03-12-2019 04:41 AM

Hi.

 

We have a doubt with ISAKMP. we have a tunnel configured without problems with this configuration (ISR 2821 15.1(4)M7):

 

 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 10000
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp profile isakmp_profile_322
   description "Tunel 322: Peqas"
   keyring kiering_322
   match identity address X.X.X.X 255.255.255.255 INTERNET_TUNELES
   keepalive 10 retry 2
!
!
crypto ipsec transform-set TRANSPORT-AES esp-aes 256 esp-sha-hmac
 mode transport
crypto ipsec transform-set TRANSPORT-3DES esp-3des esp-sha-hmac
 mode transport
crypto ipsec transform-set TUNNEL-3DES esp-3des esp-md5-hmac
crypto ipsec transform-set TUNNEL-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANSPORT-3DES-MD5 esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile ipsec-profile_322
 set security-association lifetime kilobytes 4294967295
 set security-association replay window-size 512
 set transform-set TRANSPORT-AES
 set isakmp-profile isakmp_profile_322
!
interface Tunnel322
 description " Tunel 322: Peqas"
 ip address 172.16.0.166 255.255.255.252
 ip ospf cost 1200
 ip ospf mtu-ignore
 load-interval 30
 tunnel source Dialer1
 tunnel destination X.X.X.X
 tunnel vrf INTERNET_TUNELES
 tunnel protection ipsec profile ipsec-profile_322
end

All work ok, but, in a security audit, it is indicated that all router interfaces are listening ikev1. You can see:

ro.pen.ab#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN
 udp                        *:67                         *:0            DHCPD Receive   LISTEN
 udp                     *:56765                         *:0                  IP SNMP   LISTEN
 udp                       *:123                         *:0                      NTP   LISTEN
 udp                      *:4500                         *:0                   ISAKMP   LISTEN
 udp                       *:161                         *:0                  IP SNMP   LISTEN
 udp                       *:162                         *:0                  IP SNMP   LISTEN
 udp                      *:1967                         *:0              RTR control   LISTEN
 udp                       *:500                         *:0                   ISAKMP   LISTEN

Is it possilbe to restrict listen Isakmp to one interface without acl?

 

Regards

 

Labels:
0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎11-03-2017 04:14 AM

Hi @Pablo Andres Zamorano Navarro

 

You can try to specify one interface:

crypto map "name"  local-address "interface"

However, the log:

control LISTEN udp *:500 *:0 

Does not say it is being listen in all ports, isn't it?

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful

Pablo Andres Zamorano Navarro
Level 1
Level 1
In response to Flavio Miranda

‎11-03-2017 04:50 AM - edited ‎11-03-2017 04:53 AM

Thanks for your reply.

 

For example, if I check with nmap and ike-version script:

[root@apolo ~]# nmap -sU -p 500 --script ike-version /home/UCLM/everis.jparra/ike-version.nse 172.17.154.1

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-03 12:46 CET
Unable to split netmask from target expression: "/home/UCLM/everis.jparra/ike-version.nse"
Nmap scan report for 172.17.154.1
Host is up (0.012s latency).

PORT    STATE SERVICE
500/udp open  isakmp
| ike-version:
|   vendor_id: Cisco
|   attributes:
|     Cisco Unity
|     Dead Peer Detection v1.0
|_    XAUTH
Service Info: OS: IOS 12.3/12.4; CPE: cpe:/o:cisco:ios:12.3-12.4

Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds

The interface is:

interface FastEthernet0/0.500
 description "WIFI-gesycontrol-pen"
 encapsulation dot1Q 500
 ip address 172.17.154.1 255.255.255.240
 ip helper-address 172.20.1.116
 ip helper-address 172.20.32.117
 ip verify unicast source reachable-via rx
 snmp trap ip verify drop-rate

I don't use crypto maps configuration, I use tunnel-protection:

interface Tunnel322
 description " Tunel 322: Peqas"
 bandwidth 768
 bandwidth receive 10000
 ip address 172.16.0.166 255.255.255.252
 ip ospf cost 1200
 ip ospf mtu-ignore
 load-interval 30
 tunnel source Dialer1
 tunnel destination 161.67.139.211
 tunnel vrf INTERNET_TUNELES
 tunnel protection ipsec profile ipsec-profile_322
end
crypto ipsec profile ipsec-profile_322
 set security-association lifetime kilobytes 4294967295
 set security-association replay window-size 512
 set transform-set TRANSPORT-AES
 set isakmp-profile isakmp_profile_322
crypto ipsec transform-set TRANSPORT-AES esp-aes 256 esp-sha-hmac
 mode transport
crypto keyring kiering_322 vrf INTERNET_TUNELES
  pre-shared-key address X.X.X.X key PSK
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 10000
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp profile isakmp_profile_322
   description "Tunel 322: Peqas"
   keyring kiering_322
   match identity address X.X.X.X 255.255.255.255 INTERNET_TUNELES
   keepalive 10 retry 2
   local-address Dialer1

 

 

0 Helpful

Pablo Andres Zamorano Navarro
Level 1
Level 1
In response to Flavio Miranda

‎11-03-2017 05:00 AM

Hi @Flavio Miranda.

 

Thanks for your reply.

 

For example, if I test with nmap and ike-version script any interface, we have port 500 opened:

 

[root@apolo ~]# nmap -sU -p 500 --script ike-version /tmp/ike-version.nse 172.17.154.1

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-03 12:46 CET
Unable to split netmask from target expression: "/tmp/ike-version.nse"
Nmap scan report for 172.17.154.1
Host is up (0.012s latency).

PORT    STATE SERVICE
500/udp open  isakmp
| ike-version:
|   vendor_id: Cisco
|   attributes:
|     Cisco Unity
|     Dead Peer Detection v1.0
|_    XAUTH
Service Info: OS: IOS 12.3/12.4; CPE: cpe:/o:cisco:ios:12.3-12.4

the Inteface that I'm checking is:

 

interface FastEthernet0/0.500
 description "WIFI-gesycontrol-pen"
 encapsulation dot1Q 500
 ip address 172.17.154.1 255.255.255.240
 ip helper-address 172.20.1.116
 ip helper-address 172.20.32.117
 ip verify unicast source reachable-via rx
 snmp trap ip verify drop-rate

Note that i don't use crypto maps, We use tunnel protections for ipsec, and ikev1 (phase1):

interface Dialer1
 mtu 1492
 bandwidth 798
 bandwidth inherit
 bandwidth receive 10000
 ip vrf forwarding INTERNET_TUNELES
 ip address publicIP 255.255.255.0
 ip access-group IKE_SECURITY_IPSEC in
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1

interface Tunnel322
 description " Tunel 322: Peqas"
 bandwidth 768
 bandwidth receive 10000
 ip address 172.16.0.166 255.255.255.252
 ip ospf cost 1200
 ip ospf mtu-ignore
 load-interval 30
 tunnel source Dialer1
 tunnel destination x.X.x.x
 tunnel vrf INTERNET_TUNELES
 tunnel protection ipsec profile ipsec-profile_322


crypto ipsec profile ipsec-profile_322
 set security-association lifetime kilobytes 4294967295
 set security-association replay window-size 512
 set transform-set TRANSPORT-AES
 set isakmp-profile isakmp_profile_322

crypto ipsec transform-set TRANSPORT-AES esp-aes 256 esp-sha-hmac
 mode transport

crypto isakmp profile isakmp_profile_322
   description "Tunel 322: Peqas"
   keyring kiering_322
   match identity address X.X.X.X 255.255.255.255 INTERNET_TUNELES
   keepalive 10 retry 2
   local-address Dialer1
!
crypto keyring kiering_322 vrf INTERNET_TUNELES
  pre-shared-key address x.x.x.x key PSK
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 10000
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Pablo Andres Zamorano Navarro

‎11-08-2017 11:21 AM

I am not sure that it is possible to restrict the router to listen for ISAKMP on only a single interface.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Pablo Andres Zamorano Navarro
Level 1
Level 1
In response to Richard Burts

‎11-09-2017 08:12 AM

Thanks @Richard Burts. I have not found any way. I wait to see if someone knows or finally has no solution

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Pablo Andres Zamorano Navarro

‎11-09-2017 09:08 AM

You are welcome. It will be interesting to see if anyone else can respond with a way to accomplish this.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents