cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2866
Views
0
Helpful
7
Replies

IKEv2 Remote Access VPN: How to narrow default local traffic selector 0.0.0.0/0?

yuri.volkov
Level 1
Level 1

 

There is a Cisco ASR1001 router with FlexVPN IKEv2 remote access server configured:

aaa authentication login VPN-IKEv2 group FreeRADIUS
!
crypto ikev2 profile VPN-IKEv2
 match identity remote address 0.0.0.0
 identity local fqdn vpn.domain.local
 authentication remote eap query-identity
 authentication local rsa-sig
 pki trustpoint VPN-CA
 aaa authentication eap VPN-IKEv2
 aaa authorization user eap cached
 aaa accounting eap VPN-IKEv2
 virtual-template 1
!
crypto ipsec transform-set VPN-IKEv2 esp-aes 256 esp-sha-hmac 
 mode tunnel
!    
crypto ipsec profile VPN-IKEv2
 set transform-set VPN-IKEv2 
 set ikev2-profile VPN-IKEv2
!
interface Virtual-Template1 type tunnel
 vrf forwarding WAN
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-IKEv2
!

FreeRADIUS configuration:

vpn_user  Cleartext-Password := "vpn_password"
                Cisco-AVPair = "ipsec:dns-servers=x.x.x.x y.y.y.y",
                Framed-IP-Address = "10.10.0.10"

When user connects, all his traffic gets encrypted and sent over IPsec tunnel because of local traffic selector 0.0.0.0/0:

asr1001#show crypto ikev2 session 
 IPv4 Crypto IKEv2 Session 

Session-id:58, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         x.x.x.x/4500   y.y.y.y/44910   none/WAN             READY  
      Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: EAP
      Life/Active Time: 86400/7 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 10.10.0.10/0 - 10.10.0.10/65535
          ESP spi in/out: 0xF48211CB/0xDA881E9B  

Session-id:43, Status:UP-ACTIVE, IKE count:1, CHILD count:1

On Windows it could be fixed by clearing the check-box "Use default gateway on remote network". But there is no such check-box on GNOME/Linux and Android. And Apple devices could not connect at all.

 

Is it possible configure traffic selector 10.0.0.0/8 instead of 0.0.0.0/0?

7 Replies 7

How about you configuration a local authorisation policy to push down the routes to the client?

Do you mean route-set <standard-access-list>?

Yes you can use that command. I use the commands below successfully on my router (although not exactly the same configuration as yours, I see no reason why it would not work with some tweaks).

 

crypto ikev2 profile IKEV2_PROFILE
 aaa authorization group cert list default IKEV2_AUTHZ

crypto ikev2 authorization policy IKEV2_AUTHZ
 route set remote ipv4 192.168.10.0 255.255.255.0
 route set remote ipv4 192.168.11.0 255.255.255.0

Curiously, but I have option local instead of remote:

asr1001(config)#crypto ikev2 authorization policy VPN-IKEv2
asr1001(config-ikev2-author-policy)#route set ?
  access-list  Specify the route access-list
  interface    Specify the route interface
  local        Specify route set local parameters

asr1001(config-ikev2-author-policy)#

And with the following configuration I could not connect at all:

crypto ikev2 authorization policy VPN-IKEv2
 route set local ipv4 10.0.0.0 255.0.0.0

crypto ikev2 profile VPN-IKEv2
 ...
 aaa authentication eap VPN-IKEv2
 aaa authorization user eap cached
 aaa authorization user eap list VPN-IKEv2
 ...

You should be able to use either "route set access-list" or "route set remote" commands to push down routes to a client. What version of firmware does your ASR1K currently use? I've checked my ISR1921 and CSR1000v and the "route set remote" command is available on both.

IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)

 

Cisco ASR1001, License Level: adventerprise

As you have the option to use an access-list have you tried that?

 

I notice you aren't running the latest firmware version, can you upgrade?....and see if the option for remote is now available? These commands are working on the images I use, but I am running the latest firmware version there.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: