Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Access rule to allow application "ipsec" results in almost full access

This thread has been viewed 0 times

  • 1.  Access rule to allow application "ipsec" results in almost full access

    Posted May 12, 2017 03:24 AM

    Hi,

     

    I've Instant environment (11APs) with "production" and "guest" SSIDs.

    "produciton" is 802.1x with external radius and is not limited on Instant level but further on the firewall.

    Guest has some Access rules defined in SSID confioiguration ("Access" tab) denying access to all private IP subnets.

    After adding new rul allowing for ipsec application it turned out that Guest users are able to access some private IPs (for example 10.22.0.103 over HTTP). When ipsec access rule is deleted, again all works as expected - 10.22.0.103 over HTTP times out etc.

    I've noticed that ipsec has no defaults ports defined - is it possible that because of thsis it allows all traffic?:

     

    show dpi app ipsec

    Pre-defined Application
    -----------------------
    Name   App ID  App Category  Default Ports
    ----   ------  ------------  -------------
    ipsec  85      encrypted     

     

    Please see Access rules (with ipsec included):

     

    Access Rules
    ------------
    Dest IP     Dest Mask        Dest Match  Protocol (id:sport:eport)  Application  Action  Log  TOS  802.1P  Blacklist  App Throttle (Up:Down)  Mirror  DisScan  ClassifyMedia
    -------     ---------        ----------  -------------------------  -----------  ------  ---  ---  ------  ---------  ----------------------  ------  -------  -------------
    any         any              match                                  app ipsec    permit                                                                        
    172.16.0.0  255.240.0.0      match       any                                     deny    Yes                                                                   
    10.0.0.0    255.0.0.0        match       any                                     deny    Yes                                                                   
    10.22.0.1   255.255.255.255  match       any                                     deny    Yes                                                                   
    any         any              match       any                                     permit                                                                        

     

     

    The InstantOS version is 6.4.2.6-4.1.1.6_50009

     

    Kind Regards,

    Jakub

     

     



  • 2.  RE: Access rule to allow application "ipsec" results in almost full access

    Posted May 12, 2017 04:06 AM

    Hi Jakub,

     

    Please try collecting the following outputs at time of issue:

     

    show  datapath session | include <private IP>

    show  datapath session dpi | include <private IP>



  • 3.  RE: Access rule to allow application "ipsec" results in almost full access

    Posted May 12, 2017 04:45 AM

    Hello,

     

    both commands had not given any output.

     

    After repeating them many times I only saw some multicasts or bradcast, for example:

     

    show datapath session dpi | include 172.22.60.10
    172.22.60.10      239.255.255.250 17   63238 1900  App-Not-Class       [0   ] Web-Not-Class       [0  ] 0      0       0     0       FC

     

    I've managed to block traffic to private IPs by mobing the "application" ipsec rule donw on hte list, below all the "deny" rules.

     

    During the troubleshooting it turned out that application "dns" was resulting in the same behavior when being placed before deny rules.

     

    Using Service/Network/dns instead of Service./Application/dns gives expected reults - any DNS traffic is allowed and deny rules block all other traffic to private IPs.

     

     

    When executing "show datapath session dpi" so without any filtering I can see that for all entries App and Webcat have values of App-Not-Class and Web-Not-Class accordingly. Does it looks good to you? I would expect to see categories here at least for known traffic (ssh sessions and others on the list). in WebGUI AppRF for "guest" network shows few categories so it looks like application recognition is enabled and works.

     

    Regards,

    Jakub

     



  • 4.  RE: Access rule to allow application "ipsec" results in almost full access

    EMPLOYEE
    Posted May 12, 2017 04:42 AM

    Do you have the datapath session table during the time the user is accessing that address?

     

    As an aside, you need to add 'any any match dhcp permit' at the top of your policy.



  • 5.  RE: Access rule to allow application "ipsec" results in almost full access

    Posted May 12, 2017 05:22 AM

    Hi,

     

    please see my other answer re session list.

     

    Thanks for the DHCP tip - in fact DHCP was working fine in terms of clients aquiring IPs, but indeed some DHCP was blocked - I guess that initial DHCP communication is unaffected by deny rules but then  packets related to refreshing IP/extending lease  might be blocked.

     

    I've added dhcl allow at the top - thanks

     

    Regards,

    Jakub



  • 6.  RE: Access rule to allow application "ipsec" results in almost full access

    EMPLOYEE
    Posted May 12, 2017 05:26 AM

    Yes, that's correct, the dhcp renew which is unicast would be dropped.  This is particularly true of mobile devices that go to sleep.  They tend to 'remember' their ip address and renew when they wake up or roam rather than send a discover.