IPSec VPN / Gateway ACL Broken

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

IPSec VPN / Gateway ACL Broken

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
IPSec VPN / Gateway ACL Broken
IPSec VPN / Gateway ACL Broken
2023-03-27 07:08:41
Model: ER7212PC  
Hardware Version: V1
Firmware Version: 1.02

IPSec Site To Site tunnel working with Gateway ACLs on!

 

Configured two 7212 (Office1 / Office2) IPSec VPN working, with firewall wide open. 

 Also configured OpenVPN server for 1 client to connect on both sides.

 

Configured Gateway ACLs

 

1 - Allow OpenVPN (PortGroup > LAN)

2 - Allow IPSec (UDP 50,51,500,4500) > LAN

3 - Deny All from WAN to LAN

 

When using the OpenVPN client (From remote) and I turn off the OpenVPN Allow Rule I can not connect. I turn on the Open VPN Allow Rule I can connect. So the gateway ACL for Open VPN seem to work.

 

IPSec Site to Site VPN does not work with the Deny ALL rule enabled, no matter how I configure the IPSec Allow Rule (Ports, IP Ranges etc...)

 

So the only way I can have my Site to Site VPN up if the Gateway is left Wide OPEN! 

For now I have NO Site to Site VPN, becasue fo this I would like to get a solution to this problem in the next 15 days so I can return both of these units if this can not be done.

 

I found many articles and videos about how to setup the IPSec tunnel on Omada, none of them talks about ACLs as in a secured network with IPSec. :(

 

 

  0      
  0      
#1
Options
5 Reply
Re:IPSec VPN / Gateway ACL Broken
2023-03-28 05:37:17

  @Ortofan Sorry this should have read NOT WORKING !!!

 

IPSec Site To Site tunnel NOT working with Gateway ACLs on!

  0  
  0  
#2
Options
Re:IPSec VPN / Gateway ACL Broken
2023-03-28 07:13:38

Hello @Ortofan

 

The ER7212PC is the NAT device, by default it can not actively access the LAN from the WAN side as long as you have not set advanced settings such as port forwarding or remote management.

 

For example, if the device on the back end of the ER7212PC can go out and access the external server, then necessarily this data will also be passed back to the internal device, but if the external server detects that it has previously communicated with the internal device and wants to send data to the internal device, then it will be blocked by NAT unless a port forwarding is set, etc.

 

So you don't need to set a Deny ALL ACL, there is the NAT feature is functioning.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options
Re:IPSec VPN / Gateway ACL Broken
2023-03-28 12:05:00

  @Hank21 

 

Thanks Hank,.

 

I totally understand the notion of NAT, but virtually every single firewall I delt with in the past 30 years would have WAN ACL.

I mean what is the purpose of the "Gateway" ACL list anyway then?

 

Furthermore, as I stated the Gateway ACL works as expected when I 

 

Scenairo 1

Rule1 Block Everything from WAN In

-No Open VPN or IPSec working

 

Scenario 2

Rule 1 Allow Open VPN (Ports and IP range)

Rule 2 Block everything

-OPen VPN Works

 

So indeed it functions as it supposed to, but.

 

Scenario 3

Rule 1 Allow IPSec (Ports and IP range)

Rule 2 Allow Open VPN (Ports and IP range)

Rule 3 Block everything

-Open VPN Works, IPSec does not.

 

IPSec tunnels do not work, but open VPN does.

 

So there is something a miss for sure. Again ports I open for IPSec 50,51,500,4500

 

 

A,.

 

  0  
  0  
#4
Options
Re:IPSec VPN / Gateway ACL Broken
2023-03-31 12:35:18
Any news on this???
  0  
  0  
#5
Options
Re:IPSec VPN / Gateway ACL Broken
2023-04-03 09:18:14

Hi @Ortofan

 

Thanks for this detailed information.

 

Please make sure you choose "All" in the Protocols entry.

And we suggest not restricting the ports when you set the ACL, you may choose IP groups not IP-Port Groups.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options