IPSec VPN interruption due to ACL configuration too wide

Publication Date:  2013-08-30 Views:  250 Downloads:  0
Issue Description

Firewall as the central node, all branches devices and firewalls IPSec tunnel connection.

Existing network IPSec VPN has been running for a year, the sudden appearance of these days a large area of the whole network IPSec business interruption. Log in central node firewall, see IPSec information.
Alarm Information
1. Select one node view ipsec sa, the following information:
HRP_M[MZ_GS_FW_01]dis ipsec sa remote 60.165.x1.y1
02:00:40  2012/07/03
  -----------------------------
  IPsec policy name: "pl"
  sequence number: 1
  mode: template
  vpn: public
  -----------------------------
    connection id: 173545
    rule number: 4294967295
    encapsulation mode: tunnel
    tunnel local : 61.178.x2.y2    tunnel remote: 60.165.x1.y1
    flow      source: 10.112.0.0/255.255.0.0 0/0
    flow destination: 172.16.0.0/255.255.0.0 0/0

    [inbound ESP SAs]
      spi: 2368886412 (0x8d32568c)
      vpn: public  said: 9722  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887363600/28181
      max received sequence-number: 1211
      udp encapsulation used for nat traversal: Y

    [outbound ESP SAs]
      spi: 4097 (0x1001)
      vpn: public  said: 9723  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887331008/28181
      max sent sequence-number: 1641
      udp encapsulation used for nat traversal: Y

2. And compare other IPSec SA
  -----------------------------
  IPsec policy name: "pl"
  sequence number: 1
  mode: template
  vpn: public
  -----------------------------
    connection id: 365
    rule number: 4294967295
    encapsulation mode: tunnel
    tunnel local : 61.178.x2.y2    tunnel remote: 118.182.x3.y3
    flow      source: 10.112.0.0/255.255.0.0 0/0
    flow destination: 172.16.2.80/255.255.255.240 0/0

    [inbound ESP SAs]
      spi: 2098881415 (0x7d1a6387)
      vpn: public  said: 314  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436800/26573
      max received sequence-number: 1
      udp encapsulation used for nat traversal: Y

    [outbound ESP SAs]
      spi: 4286 (0x10be)
      vpn: public  said: 315  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436800/26573
      max sent sequence-number: 1
      udp encapsulation used for nat traversal: Y

Handling Process
New on-line peer devices are using the same IPSec configuration, and are protected by an ACL flow range 172.16.0.0/16 network segment, causing disruption to its operations other tunnels.

Modify the peer device ACL, so that each game point stream protected not overlap, and the former can be on-line device, configured as 28 mask segment.
Root Cause
1. Found that some flow tunnel protection mask is 16 bits, it is broader than the other tunnels protected streams.
2. Central node in the access to each branch node, it needs to find the tunnel, find the tunnel is under the protection of the sole basis for a stream to find.
3. Main branch of the device depends on the end of the ACL configuration, each game point range cannot protect the streams intersect, otherwise it will lead to the central node stream tunnel protection covering the phenomenon occurs, leading to the wrong tunnel affect business.
Suggestions
Always try to use the ACL to the minimum range, avoide the overlaps.

END