IPSEC traffic getting blocked by default rules
-
Hello,
I am having trouble routing between 2 networks.
One network is made up of many vlans and all vlans currently have any/any rules. This is the new network.
The other network is one flat VLAN wil a lot of static routes to VPN appliances etc. This is the old network.
Because the old network supports life safety services that rely on the static routes, I cannot simply migrate everything. I have decided to stand the new network up, deploy a server and promote to TDC. Replicating everything from the PDC.
Old network currently has 3 DCs, DC1, 2 and 3.
New network has DC0.Once the new Firewall was set up, I connected an interface on the new firewall to the old firewall. Thinking that I could static route everything from one net to the other. But that didn't work and regularly went down. Finally I resorted to a VTI IPSEC tunnel.
The IPSEC tunnel stays connected, pinging is reliable enough for me to move forward to DC promotion and replication. But there where the issue lies.
Default Deny is killing my TCP connections. I have done all the tricks, still not able to establish connection.
Floating rule for asymmetrical routing. TCP:Any sloppy states etc. Both sides mind you.
Further, IPSEC any/any. Anything to get it to work.
I understand that I could establish a VPN tunnel between servers themselves. But I still need access to other network service and static routes on the old network.
Eventually this will all be removed and all services and VPN appliances will live on the new network. And this will all be a learning experience.
Any advice for a path forward?
-
Well I believe I sorted it at this point.
Because the old FW has multiple IPsec tunnels, a few non VTI, I couldn't enable IPsec Filter Mode.
While looking over logs, I noticed that my traffic was entering VTI interface and leaving IPSec interface.
So I created a floating rule for asymmetrical routing issues. All I needed to do was alter my IPSEC rules to match any/any TCP:Any, State:Sloppy.