Firewall – What can an ISP do to block IPSEC traffic

firewallipsecvpn

Every so often we encounter a problem where we cannot get an IPSEC VPN tunnel to work. Sometimes we know the local authorities restrict use of IPSEC (e.g. Bangladesh), and have to get some kind of exemption. Other times the ISP changes something and the connection drops (e.g. Haiti).

I assume there are a bunch of things that might prevent IPSEC from working. For example, blocking UDP port 500 would prevent IKE.

Rather than looking for a resolution for a specific problem, can anyone give a list of what different things an ISP might do to block IPSEC traffic, either on purpose or by accident?

The answer to this question will be useful in troubleshooting, but also letting ISPs know what specific things they need to fix when we can't get our VPN up!

Best Answer

Drawing on Chapter 4 of IPsec Virtual Private Network Fundamentals the following architectural issues can disrupt IPsec traffic:

Firewall not allowing required protocols
- ISAKMP (Port 500)
- ESP (IP Protocol 50)
- AH (IP Protocol 51)
Firewall (or router) not handling fragmented IPsec packets, such as
- not replying to ICMP-Unreachable packets - breaking Path MTU Detection

Some of these things could result from an ISP introducing new equipment that by default does one of the above (blocking ICMP-Unreachable seems quite a likely default setting). They may not realise they need to fix such problems in order to support their customers who use IPSEC - and it may not affect all their customers.

Related Solutions

Windows – Command to block an IP range using IPSEC

You can do something like this in Windows 2003 or newer OS's to add a policy, a filter list, and an entry to that filter list:

netsh ipsec static add policy name="Prevent TELNET Servers" description="Prevents running TELNET servers"
netsh ipsec static add filter filterlist="My filter list" srcaddr=any srcport=0 dstaddr=me dstport=23 protocol=tcp mirrored=yes

You can use "dstmask" and "srcmask" to specify ranges of IP addresses. Bear in mind that you'll have to actually assign that policy if you want it to do anything.

Some background on using NETSH and IPSEC is available at Microsoft at: http://technet.microsoft.com/en-us/library/cc739550(WS.10).aspx

On XP machines you'll use the IPSECCMD.EXE utility, available from the Windows 2000 resource kit.

IPSEC Tunnel – What Might Prevent IKE Handshake Success in Building an IPSEC Tunnel?

With a little assistance from Cisco I did some deeper analysis of what was happening, and figured out the things that I needed to be checking for. The useful things that Cisco told me:

debug crypto isakmp 5 gives enough detail to see whether problems are occurring with ISAKMP traffic
clear crypto isakmp sa clears out any stale security associations.
clear crypto isakmp {client_ip_address} can be used on the HQ to clear out a specific security association (you don't necessarily want to clear all your security associations if it is only one device that is having trouble!
packet captures at both ends are really useful to figure out what is going on

Reading up a little on the IPSEC suite, and ISAKMP more specifically showed that the following need to be allowed through any firewalls in the path:

ISAKMP traffic on UDP port 500
ISAKMP (used for NAT-Tunnelling) traffic on UDP port 4500
ESP traffic (IP Protocol 50)
AH traffic (IP Protocol 51)

It seems a lot of people out there don't realise the important difference between IP protocols and TCP/UDP ports.

The following packet captures focussed on the above types of traffic. These were set up on both the remote and HQ ASAs:

object service isakmp-nat-t 
    service udp destination eq 4500 
    description 4500
object-group service ISAKMP-Services
    description Traffic required for ISAKMP
    service-object esp 
    service-object ah 
    service-object object isakmp-nat-t 
    service-object udp destination eq isakmp
access-list ISAKMP extended permit object-group ISAKMP-Services host {hq_ip_address} host {remote_ip_address}
access-list ISAKMP extended permit object-group ISAKMP-Services host {remote_ip_address} host {hq_ip_address}
capture ISAKMP access-list ISAKMP interface outside

You can then download the captures from each device at https://{device_ip_address}/capture/ISAKMP/pcap and analyse it in Wireshark.

My packet captures showed that ISAKMP traffic outlined above was getting fragmented - since those packets are encrypted, once they are fragmented it is hard to put them back together and things break.

Giving this information to the ISP meant they could do their own focussed checking, and resulted in them making some changes to a firewall. Turns out the ISP was blocking all ICMP traffic on their edge router, which meant that Path MTU Discovery was broken, resulting in fragmented ISAKMP packets. Once they stopped blanket blocking ICMP the VPN came up (and I expect all their customers started getting better service in general).

Best Answer

Related Solutions

Windows – Command to block an IP range using IPSEC

IPSEC Tunnel – What Might Prevent IKE Handshake Success in Building an IPSEC Tunnel?

Related Topic