11-03-2017 01:44 AM - edited 03-12-2019 04:41 AM
Hi.
We have a doubt with ISAKMP. we have a tunnel configured without problems with this configuration (ISR 2821 15.1(4)M7):
crypto isakmp policy 1 encr 3des authentication pre-share lifetime 10000 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 crypto isakmp profile isakmp_profile_322 description "Tunel 322: Peqas" keyring kiering_322 match identity address X.X.X.X 255.255.255.255 INTERNET_TUNELES keepalive 10 retry 2 ! ! crypto ipsec transform-set TRANSPORT-AES esp-aes 256 esp-sha-hmac mode transport crypto ipsec transform-set TRANSPORT-3DES esp-3des esp-sha-hmac mode transport crypto ipsec transform-set TUNNEL-3DES esp-3des esp-md5-hmac crypto ipsec transform-set TUNNEL-SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANSPORT-3DES-MD5 esp-3des esp-md5-hmac mode transport ! crypto ipsec profile ipsec-profile_322 set security-association lifetime kilobytes 4294967295 set security-association replay window-size 512 set transform-set TRANSPORT-AES set isakmp-profile isakmp_profile_322 ! interface Tunnel322 description " Tunel 322: Peqas" ip address 172.16.0.166 255.255.255.252 ip ospf cost 1200 ip ospf mtu-ignore load-interval 30 tunnel source Dialer1 tunnel destination X.X.X.X tunnel vrf INTERNET_TUNELES tunnel protection ipsec profile ipsec-profile_322 end
All work ok, but, in a security audit, it is indicated that all router interfaces are listening ikev1. You can see:
ro.pen.ab#show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:22 *:0 SSH-Server LISTEN tcp *:23 *:0 Telnet LISTEN udp *:67 *:0 DHCPD Receive LISTEN udp *:56765 *:0 IP SNMP LISTEN udp *:123 *:0 NTP LISTEN udp *:4500 *:0 ISAKMP LISTEN udp *:161 *:0 IP SNMP LISTEN udp *:162 *:0 IP SNMP LISTEN udp *:1967 *:0 RTR control LISTEN udp *:500 *:0 ISAKMP LISTEN
Is it possilbe to restrict listen Isakmp to one interface without acl?
Regards
11-03-2017 04:14 AM
Hi @Pablo Andres Zamorano Navarro
You can try to specify one interface:
crypto map "name" local-address "interface"
However, the log:
control LISTEN udp *:500 *:0
Does not say it is being listen in all ports, isn't it?
-If I helped you somehow, please, rate it as useful.-
11-03-2017 04:50 AM - edited 11-03-2017 04:53 AM
Thanks for your reply.
For example, if I check with nmap and ike-version script:
[root@apolo ~]# nmap -sU -p 500 --script ike-version /home/UCLM/everis.jparra/ike-version.nse 172.17.154.1 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-03 12:46 CET Unable to split netmask from target expression: "/home/UCLM/everis.jparra/ike-version.nse" Nmap scan report for 172.17.154.1 Host is up (0.012s latency). PORT STATE SERVICE 500/udp open isakmp | ike-version: | vendor_id: Cisco | attributes: | Cisco Unity | Dead Peer Detection v1.0 |_ XAUTH Service Info: OS: IOS 12.3/12.4; CPE: cpe:/o:cisco:ios:12.3-12.4 Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
The interface is:
interface FastEthernet0/0.500 description "WIFI-gesycontrol-pen" encapsulation dot1Q 500 ip address 172.17.154.1 255.255.255.240 ip helper-address 172.20.1.116 ip helper-address 172.20.32.117 ip verify unicast source reachable-via rx snmp trap ip verify drop-rate
I don't use crypto maps configuration, I use tunnel-protection:
interface Tunnel322 description " Tunel 322: Peqas" bandwidth 768 bandwidth receive 10000 ip address 172.16.0.166 255.255.255.252 ip ospf cost 1200 ip ospf mtu-ignore load-interval 30 tunnel source Dialer1 tunnel destination 161.67.139.211 tunnel vrf INTERNET_TUNELES tunnel protection ipsec profile ipsec-profile_322 end
crypto ipsec profile ipsec-profile_322
set security-association lifetime kilobytes 4294967295
set security-association replay window-size 512
set transform-set TRANSPORT-AES
set isakmp-profile isakmp_profile_322
crypto ipsec transform-set TRANSPORT-AES esp-aes 256 esp-sha-hmac
mode transport
crypto keyring kiering_322 vrf INTERNET_TUNELES
pre-shared-key address X.X.X.X key PSK
!
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 10000
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile isakmp_profile_322
description "Tunel 322: Peqas"
keyring kiering_322
match identity address X.X.X.X 255.255.255.255 INTERNET_TUNELES
keepalive 10 retry 2
local-address Dialer1
11-03-2017 05:00 AM
Hi @Flavio Miranda.
Thanks for your reply.
For example, if I test with nmap and ike-version script any interface, we have port 500 opened:
[root@apolo ~]# nmap -sU -p 500 --script ike-version /tmp/ike-version.nse 172.17.154.1 Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-03 12:46 CET Unable to split netmask from target expression: "/tmp/ike-version.nse" Nmap scan report for 172.17.154.1 Host is up (0.012s latency). PORT STATE SERVICE 500/udp open isakmp | ike-version: | vendor_id: Cisco | attributes: | Cisco Unity | Dead Peer Detection v1.0 |_ XAUTH Service Info: OS: IOS 12.3/12.4; CPE: cpe:/o:cisco:ios:12.3-12.4
the Inteface that I'm checking is:
interface FastEthernet0/0.500 description "WIFI-gesycontrol-pen" encapsulation dot1Q 500 ip address 172.17.154.1 255.255.255.240 ip helper-address 172.20.1.116 ip helper-address 172.20.32.117 ip verify unicast source reachable-via rx snmp trap ip verify drop-rate
Note that i don't use crypto maps, We use tunnel protections for ipsec, and ikev1 (phase1):
interface Dialer1 mtu 1492 bandwidth 798 bandwidth inherit bandwidth receive 10000 ip vrf forwarding INTERNET_TUNELES ip address publicIP 255.255.255.0 ip access-group IKE_SECURITY_IPSEC in ip virtual-reassembly in encapsulation ppp dialer pool 1 interface Tunnel322 description " Tunel 322: Peqas" bandwidth 768 bandwidth receive 10000 ip address 172.16.0.166 255.255.255.252 ip ospf cost 1200 ip ospf mtu-ignore load-interval 30 tunnel source Dialer1 tunnel destination x.X.x.x tunnel vrf INTERNET_TUNELES tunnel protection ipsec profile ipsec-profile_322 crypto ipsec profile ipsec-profile_322 set security-association lifetime kilobytes 4294967295 set security-association replay window-size 512 set transform-set TRANSPORT-AES set isakmp-profile isakmp_profile_322 crypto ipsec transform-set TRANSPORT-AES esp-aes 256 esp-sha-hmac mode transport crypto isakmp profile isakmp_profile_322 description "Tunel 322: Peqas" keyring kiering_322 match identity address X.X.X.X 255.255.255.255 INTERNET_TUNELES keepalive 10 retry 2 local-address Dialer1 ! crypto keyring kiering_322 vrf INTERNET_TUNELES pre-shared-key address x.x.x.x key PSK ! crypto isakmp policy 1 encr 3des authentication pre-share lifetime 10000 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2
11-08-2017 11:21 AM
I am not sure that it is possible to restrict the router to listen for ISAKMP on only a single interface.
HTH
Rick
11-09-2017 08:12 AM
Thanks @Richard Burts. I have not found any way. I wait to see if someone knows or finally has no solution
11-09-2017 09:08 AM
You are welcome. It will be interesting to see if anyone else can respond with a way to accomplish this.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide