72.8. IPSEC

72.8.1. Why the outgoing traffic from CPX toward an IPSEC vpn is blocked after updating from 6.5.x to 7.0.x?

The interaction between NAT and IPSEC changes updating from 6.5.x to 7.0.x and this may cause the outgoing traffic blocking.

Example: assuming to have:

  • an INSIDE tunnel whose traffic goes out through an OUTSIDE interface;

  • a NAT rule for the OUTSIDE interfaces used by the INSIDE tunnel;

the ip addresses belonging to that tunnel must not to be involved in the NAT rule.

The following is the configuration of ike hosts and ike clients:

[19:41:29] ABILIS_CPX:d ike host

----------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              NATT:   XAUTH:
      AUTH:  HASH: DH:        CIPHER:  REM-IP:              SIDE:
MODE-CFG:
      XAUTH-USER:                      XAUTH-PWD:
----------------------------------------------------------------------------
1     SOFTMEDIDC                       012.034.065.078      SYS     NO
      PSK    MD5   MODP1024   3DES     xxx.xxx.xxx.xxx      INSIDE  NO

----------------------------------------------------------------------------
2     SOFTMEDLAB                       012.034.065.078      SYS     NO
      PSK    MD5   MODP1024   3DES     xxx.xxx.xxx.xxx      INSIDE  NO

----------------------------------------------------------------------------
3     SOFTMEDBCK                       012.034.065.078      SYS     NO
      PSK    MD5   MODP1024   3DES     xxx.xxx.xxx.xxx      INSIDE  NO

----------------------------------------------------------------------------
4     MATTEO                           012.034.065.078      SYS     NO
      PSK    MD5   MODP1024   3DES     xxx.xxx.xxx.xxx      INSIDE  NO

----------------------------------------------------------------------------
5     SMHOUSING                        012.034.065.078      SYS     NO
      PSK    MD5   MODP1024   3DES     xxx.xxx.xxx.xxx      INSIDE  NO

----------------------------------------------------------------------------

[19:45:07] ABILIS_CPX:d ike cli

----------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:
PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-LOC:
     AH:              AH-AUTH:                 TUNNEL:      NET-REM:
     MODE-CFG-DNS:
----------------------------------------------------------------------------
1    NAME1                            1        IPSEC        28800         NO
     YES  DES         MD5             NO       YES
192.168.002.064/28
     NO               MD5                      YES
192.168.010.000/24
     SYS
----------------------------------------------------------------------------
2    NAME2                            2        IPSEC        28800         NO
     YES  DES         MD5             NO       YES
192.168.002.064/28
     NO               MD5                      YES
192.168.011.010/32
     SYS
----------------------------------------------------------------------------
3    NAME3                            3        IPSEC        86400         NO
     YES  DES         MD5             NO       YES
192.168.002.064/28
     NO               MD5                      YES
192.168.014.000/24
     SYS
----------------------------------------------------------------------------
4    NAME4                            4        IPSEC        86400         NO
     YES  DES         MD5             NO       NO
192.168.002.064/28
     NO               MD5                      YES
172.016.015.000/24
     SYS
----------------------------------------------------------------------------
5    NAME5                            5        IPSEC        86400         NO
     YES  DES         MD5             NO       YES
192.168.002.064/28
     NO               MD5                      YES
192.168.026.102/32
     SYS
----------------------------------------------------------------------------

Create a list of private ip and a list of public ip:

[19:41:14] ABILIS_CPX:d list:PrivateIp

LIST:PrivateIp            - IR

     010.000.000.000:010.255.255.255    172.016.000.000:172.031.255.255
     192.168.000.010:192.168.255.255

[19:41:22] ABILIS_CPX:d list:PublicIp

LIST:PublicIp          - RU

     NOT.PrivateIp

Exclude private ip addresses from the NAT rule used by the tunnel setting the DNET parameter to 'PublicIp':

[19:41:28] ABILIS_CPX:d nat

UPNP maps not present

Configured maps
----------------------------------------------------------------------------
PR: [DESCR:]
    INAT:         ADD: SNET:              DNET:              ANET:
    ONAT:              SPO:               DPO:               APO:
PAT:
    SIP:  DIP:         PROT:              TOUT:
----------------------------------------------------------------------------
0   IN            SRC  192.168.002.064/28 192.168.001.001/32 Ip-1
    OUT                *                  *                  AUTO
YES
----------------------------------------------------------------------------
1   IN            SRC  192.168.002.064/28 'PublicIp'         Ip-3
    OUT                *                  *                  AUTO
YES
----------------------------------------------------------------------------