Hi,
I've Instant environment (11APs) with "production" and "guest" SSIDs.
"produciton" is 802.1x with external radius and is not limited on Instant level but further on the firewall.
Guest has some Access rules defined in SSID confioiguration ("Access" tab) denying access to all private IP subnets.
After adding new rul allowing for ipsec application it turned out that Guest users are able to access some private IPs (for example 10.22.0.103 over HTTP). When ipsec access rule is deleted, again all works as expected - 10.22.0.103 over HTTP times out etc.
I've noticed that ipsec has no defaults ports defined - is it possible that because of thsis it allows all traffic?:
show dpi app ipsec
Pre-defined Application
-----------------------
Name App ID App Category Default Ports
---- ------ ------------ -------------
ipsec 85 encrypted
Please see Access rules (with ipsec included):
Access Rules
------------
Dest IP Dest Mask Dest Match Protocol (id:sport:eport) Application Action Log TOS 802.1P Blacklist App Throttle (Up:Down) Mirror DisScan ClassifyMedia
------- --------- ---------- ------------------------- ----------- ------ --- --- ------ --------- ---------------------- ------ ------- -------------
any any match app ipsec permit
172.16.0.0 255.240.0.0 match any deny Yes
10.0.0.0 255.0.0.0 match any deny Yes
10.22.0.1 255.255.255.255 match any deny Yes
any any match any permit
The InstantOS version is 6.4.2.6-4.1.1.6_50009
Kind Regards,
Jakub