06-26-2008 01:56 PM
I have an isg2000 nsrp vsd-less cluster active/active ( for supporting ospf) release 6.0r4.
Only one isg2000 have traffic passing to it because of the ospf cost different on the 2 boxes.
2 appliances are configured with manual ipsec ( no ike) one on each side of the isg2000,
and on the isg2000 i have a rule permitting ESP traffic and other traffic between these 2 manual ipsec appliances.
On the isg2000, i also configured a global policy denying traffic and logging.
When i inspect the log, i see that ESP traffic is dropped by the global policy.
After that, i initiated a debug session and i also see packet not matching the policy permitting ESP and so the global policy dropped the traffic.
It seems that ESP packet arriving at the isg2000 are not recognizing as esp for these packets.
Moreother, i have many other dynamic (IKE) tunnels traversing the isg 2000 without problem.
Only manual ipsec tunnel are dropped......
To resolve the issue, i decide to authorize all traffic ( ANY service) between the 2 VPN appliance and now traffic is passing.
But this rule is only temporary as we have to filter traffic according to the security policy.
I check the vpn troubleshooting guide and vpn pass-through is mentionned but it does not help.
i need help please.
06-30-2008 03:48 AM
07-02-2008 11:25 AM
Our firewalls do not come with predefined ESP service object.
In any case, i tried it out with the following service and rule -- ISG correctly passes ESP traffic:
set service "ESP" protocol 50 src-port 0-65535 dst-port 0-65535
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ESP" permit
set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ESP" permit
Could you check your ESP service object and see if you've opened up all the src and dst ports?
Also, is the firewall doing any NAT? I don't think our firewalls do any NAT-Traversal for manual ipsec.
07-02-2008 04:36 PM
Sorry i was mistaking, of course, we configured a custom service "ESP" the way you mentioned it before.
It seems your last remark is the answer: on my original rule to let ESP ( and other traffic) pass the firewall we also have nat src and on the symetric rule we have nat dst configured:
original rule (disabled) :
set policy id 294 from "access-ggsn" to "access-bbms" "AGWQTA1" "GROUP_PICO_BTS" "ESP" nat src dip-id 4 permit log
set policy id 294 disable
set policy id 294
set service "FTP"
set service "IKE"
set service "PING"
set service "SCTP"
set service "SRTP"
remplacement rule ( to make things work) :
set policy id 279 from "access-ggsn" to "access-bbms" "AGWQTA1" "GROUP_PICO_BTS" "ANY" nat src dip-id 4 permit log
I can't imagine why by letting all traffic passing through this rule ESP traffic ( with nat also configured) is also passing ???
thank you for helping.