IPsec Through a Firewall

About

This guide explains how to configure the WeOS firewall to allow IPsec traffic. Two common scenarios are covered: a WeOS device that acts as both an IPsec gateway and a firewall, and a WeOS device that acts as an intermediate firewall between two IPsec peers.

Introduction

IPsec relies on specific protocols and ports to establish and maintain secure tunnels. When a firewall is present on the path between two IPsec peers, it must be configured to permit the following traffic:

Traffic Protocol Port Purpose
IKE UDP 500 Key exchange and tunnel setup
NAT-Traversal UDP 4500 IPsec through NAT devices
ESP proto 50 Encrypted tunnel data

If any of these are blocked, the tunnel will fail to establish or will drop unexpectedly.

Note

NAT-Traversal (NAT-T) automatically kicks in when the peers detect a NAT device between them. It encapsulates ESP inside UDP port 4500. Always allow UDP 4500 alongside UDP 500 unless you are certain that no NAT is present.

Note

IPsec traffic is exempted from NAT when the device acts as both the IPsec gateway and NAT gateway at the same time.

Scenario 1: IPsec Gateway with Integrated Firewall

In this scenario the WeOS device acts as both the IPsec VPN gateway and runs the firewall. The firewall must allow inbound IKE and ESP on the WAN interface so that the local IPsec daemon can receive and respond to tunnel negotiations.

                            .--.-.
                           ( (    )__
                          (_,  \ ) ,_)  Internet/Public Network
                            '-'--`--'
                             |    |
          .------------------'    '--------------------.
          |                                            |
          |WAN (vlan2):                                |WAN (vlan2):
          |192.168.0.1                                 |192.168.0.2
      .---+-------.                               .----+------.
      |   Alice   |         IPsec Tunnel          |    Bob    |
      | Responder |===============================| Initiator |
      |  GW + FW  |                               |  GW + FW  |
      '-----------'                               '-----------'
          |LAN (vlan1):                               |LAN (vlan1):
          |10.1.0.1/16                                |10.2.0.1/16
          |                                           |
 ---+-----+---+---                          ---+------+---+---
    |         |                                |          |
  .-+--.    .-+--.                           .-+--.     .-+--.
  | H1 |    | H2 |                           | H3 |     | H4 |
  '----'    '----'                           '----'     '----'

Figure 1: Each gateway runs both the IPsec daemon and the firewall. Firewall INPUT rules on the WAN interface are required to allow IKE and ESP.

Firewall Configuration on Alice

Configure the firewall to allow the IPsec control and data plane traffic on the WAN interface (vlan2). Setting both policies to drop ensures that only explicitly permitted traffic is accepted.

alice:/#> configure
alice:/config/#> ip firewall
alice:/config/ip/firewall/#> input accept in vlan2 dport 500 proto udp comment "IKE"
alice:/config/ip/firewall/#> input accept in vlan2 proto esp comment "IPsec ESP"
alice:/config/ip/firewall/#> leave
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
alice:/#> copy run start

bob:/#> configure
bob:/config/#> ip firewall
bob:/config/ip/firewall/#> input accept in vlan2 proto esp comment "IPsec ESP"
bob:/config/ip/firewall/#> input accept saddr 10.1.0.0/16 proto icmp comment "IPsec ESP"
bob:/config/ip/firewall/#> leave
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
bob:/#> copy run start

Explanation:

  • input accept in vlan2 dport 500 proto udp allows IKE negotiations to reach the local IPsec daemon running on the responder.
  • input accept in vlan2 proto esp allows ESP packets to reach the local IPsec daemon. This is required for the tunnel to function on both sides.
  • input accept saddr 10.1.0.0/16 proto icmp allows ICMP responses from Alice’s LAN to reach Bob and allow him to respond. This is optional but useful for testing connectivity. This is needed because Bob’s firewall is configured to drop all other inbound traffic by default, so without this rule the ping responses from Alice’s LAN would be blocked.

IPsec Tunnel Configuration

Configure the IPsec tunnel as described in IPsec Site-To-Site. The firewall rules above are independent of the tunnel configuration.

Verification

Check that the tunnel comes up and that the firewall is not dropping IKE or ESP packets:

alice:/#> show tunnel ipsec
ID  DESCRIPTION      STATUS               TIME (since last rekey)
1   ipsec1           Up(Installed)        0 Days 0 Hours 2 Mins 10 Secs

alice:/#> ping 10.2.0.1
Press Ctrl-C to abort PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.645 ms
64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=0.412 ms
64 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=0.490 ms
^C
--- 10.2.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2035ms
rtt min/avg/max/mdev = 0.412/0.515/0.645/0.096 ms
alice:/#>

Scenario 2: Standalone Firewall Between IPsec Peers

In this scenario the WeOS device acts as a dedicated firewall/router that sits between an IPsec gateway and the Internet. The firewall itself does not terminate IPsec; it only relays IKE and ESP traffic between the peers. PORT-FORWARD rules are required to pass IKE and ESP through.

                                .---+----. 
              .-----------------+  WeOS  +------------------.
              |     LAN (vlan1) |Firewall| WAN (vlan2)      |
              |     192.168.1.1 '--------' 61.123.187.141   |
              |                                             |
              |                                             |
              |WAN (vlan2):                                 |WAN (vlan2):
              |192.168.1.2                                  |61.123.234.102
         .----+----.                                   .----+----.
         |  Alice  |         IPsec Tunnel              |   Bob   |
         |Responder|===================================|Initiator|
         '----+----'                                   '---------'
              |10.1.0.1/16 (vlan1)                         |10.2.0.1/16 (vlan1)
              |                                            |
     ---+-----+---+---                           ---+------+---+---
        |         |                                 |          |
      .-+--.    .-+--.                            .-+--.     .-+--.
      | H1 |    | H2 |                            | H3 |     | H4 |
      '----'    '----'                            '----'     '----'

Figure 2: A dedicated WeOS firewall forwards IPsec traffic between the two gateways. A tunnel is established between Alice and Bob, but the firewall does not terminate it. PORT-FORWARD rules are required to allow IKE and ESP to pass through the firewall.

Firewall Configuration on the Intermediate Firewall

The intermediate firewall needs PORT-FORWARD rules to pass IKE, NAT-T, and ESP between Alice’s gateway (192.168.0.2) and Bob’s gateway (192.168.1.2).

fw:/#> configure
fw:/config/#> ip firewall
fw:/config/ip/firewall/#> forward accept in vlan1 out vlan2
fw:/config/ip/firewall/#> forward accept in vlan2 out vlan1 dport 500 proto udp
fw:/config/ip/firewall/#> forward accept in vlan2 out vlan1 dport 4500 proto udp
fw:/config/ip/firewall/#> forward accept in vlan2 out vlan1 proto esp
fw:/config/ip/firewall/#> nat out vlan2
fw:/config/ip/firewall/#> port-forward in vlan2 to-daddr 192.168.1.2 dport 500 proto udp
fw:/config/ip/firewall/#> port-forward in vlan2 to-daddr 192.168.1.2 dport 4500 proto udp
fw:/config/ip/firewall/#> port-forward in vlan2 to-daddr 192.168.1.2 proto esp
fw:/config/ip/firewall/#> leave
Configuration activated.  Remember "copy run start" to save to flash (NVRAM).
fw:/#> copy run start

Explanation:

  • forward accept in vlan1 out vlan2 allows all traffic from the internal LAN (vlan1) to be forwarded toward the WAN (vlan2). This covers Alice’s gateway responding to Bob.
  • forward accept in vlan2 out vlan1 dport 500 proto udp allows Bob’s IKE requests to reach Alice’s gateway.
  • forward accept in vlan2 out vlan1 dport 4500 proto udp allows NAT-T traffic if Bob is behind a NAT.
  • forward accept in vlan2 out vlan1 proto esp allows ESP packets from Bob to reach Alice’s gateway.
  • nat out vlan2 masquerades outbound traffic behind the firewall’s WAN address, so the IPsec peers see the firewall’s public IP rather than Alice’s private address. When NAT is active, NAT-T (UDP 4500) will be used automatically between the peers to keep the ESP packets routable.
  • port-forward in vlan2 to-daddr 192.168.1.2 dport 500 proto udp redirects inbound IKE (UDP 500) arriving on the WAN to Alice’s gateway. This is required when the firewall performs NAT and Bob uses the firewall’s public IP as the peer address.
  • port-forward in vlan2 to-daddr 192.168.1.2 proto esp redirects inbound ESP to Alice’s gateway for the same reason.

Troubleshooting

  • Tunnel stuck in Down(Connecting): The initiator cannot reach the responder. Verify that UDP 500 (and UDP 4500 if NAT is present) is permitted both inbound and outbound on all firewalls on the path.
  • Tunnel reaches Down(IKE Established) but no data flows: ESP is being blocked. Confirm that proto esp rules exist and are not shadowed by a broader drop rule.
  • Tunnel establishes but drops after a short time: NAT state entries may be timing out. Ensure UDP 4500 is allowed so NAT-T keepalives can maintain the NAT mapping. DPD keepalives also require that IKE and ESP responses can return.
  • Checking dropped packets: Add the log flag to a drop rule to capture what is being silently discarded:
fw:/config/ip/firewall/#> log limit 100/minute
fw:/config/ip/firewall/#> forward drop log comment "catch-all log"
fw:/#> show ip firewall conntrack