Hello,
I set up a ipSec tunnel between a MSR 900 and MSR 30-50 like this:
----
192.168.0.0/23, 172.16.0.0/12
|
+---+-----+
| MSR 900 |
+---+-----+
|
Eth0/0 (DHCP / NAT) -> (ipSec)
|
|
Internet
|
|
Ge0/0 (Static IP) -> (ipSec)
|
+---+-------+
| MSR 50-30 |
+-----------+
|
192.168.180.0/22
----
I set up an ipSec VPN (tunnel mode / agressive) between the sites and set the acl to ad a rroute on both sites.
A problem arose when I set up a aspf firewall on both sites - here is an example from the MSR 50-30:
----
aspf-policy 1
detect FTP
detect TCP
detect UDP
acl number 3002 name from_internet
rule 56 remark -- Local private network --
rule 56 permit ip source 192.168.0.0 0.0.255.255
rule 1000 deny ip
interface GigabitEthernet0/0
port link-mode route
firewall packet-filter 3002 inbound
firewall aspf 1 outbound
...
----
^^^
I had to add the rule 56 in the firewall ACL or the ipSec tunnel doesn't get set up. However, if I got it correctly, this means I permit the private IP addresses from the ISP.
Is there a way to filter only the encrypted traffic? I saw the vpn-instance can be used with MPLS, but I didn't find any info if it is possible to use it with ipSec too.
So, how to set up an ipSec tunnel between two sites when running a firewall for limiting internet traffic on both sites and possibly applying some limits to the VPN traffic as well?
Thanks,
Damir
#ipsec#firewall#aspf