ipsec whitelist?

acruhl · November 24, 2016, 4:04pm

Is there a recommended way to implement an ipsec “whitelist” so that my router only accepts ipsec negotiation attempts from known peers?

I was auditing my external traffic and noticed some entity I don’t know is trying to use ipsec (ipv4) with me. I’m sure it won’t work but it would be better to block it so this entity doesn’t even know I’m using ipsec I think.

There is no firewall rule to allow port 500 so I assume it’s happening before the firewall?

What is the best way to handle this?

Thanks!

pe1chl · November 24, 2016, 5:07pm

You need to review your firewall, as for incoming IPsec sessions you do need to allow UDP port 500
in the input table. Maybe some rule is allowing more than you want.
You can use a firewall rule in combination with an address list to allow IPsec only for certain remote systems.
I use an address list to block the known research scanners, blackhat port scanners like shodan.io etc,
and it prevents them to setup IPsec and try to exploit leaks.

acruhl · November 24, 2016, 6:55pm

Yes, you’re correct. I shouldn’t have assumed anything. I’m trying to decide what rule it is, I just bought a new RB750Gr3. I have a feeling it’s this one:

;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no

There is nothing else specifically allowing udp port 500.

I put in a rule to drop udp port 500 at the top of the list and it did indeed fail to create an SA after I flushed the current ones.

An address list seems like the best idea, thanks.

pe1chl · November 24, 2016, 8:35pm

The established/related rule will allow OUTgoing IPsec sessions, but not INcoming.
Of course IPsec sessions are bidirectional in nature (unless you check the “passive” checkmark)
so you may think the firewall does nothing. However that is not the case for entries that listen for
incoming connections from random addresses (like L2TP/IPsec server). In that case they will
require the allow for UDP port 500.

The correct way is to first allow the established/related traffic, then allow the traffic you want
(e.g. in this case UDP port 500 from a specific address list), then deny everything else.
It will protect you from incoming IPsec from unknown hosts.

acruhl · November 25, 2016, 1:34pm

This is confusing for me then, because I see no rule to explicitly allow port 500 on this router.

The other side does have a rule to allow port 500, so it seems like incoming port 500 might be what is considered “related”?

I need to study this somehow. Having a rule that is ambiguous is not so good.

pe1chl · November 25, 2016, 2:35pm

When you have an IPsec peering between two routers you need the open port 500 only on
one of them, because each side will try to open the connection. It will fail in one direction but
succeed in the other direction (where port 500 is open), and then because the connection is
established the established/related rule allows traffic both ways (for port 500). Similar requirement
exists for the ESP traffic that transports the encrypted data. However, I always make the correct
rules at both sides to be sure.

acruhl · November 26, 2016, 12:28am

Wow, thanks for that. You learn something new every day. I’ll make “whitelists” (ip firewall address-list) on both ends for udp port 500 and see how it goes.