IKEV2 to Cisco Firepower seems to only be routing first-specified remote network

Printable View

12-09-2019, 12:58 PM
cgallery

IKEV2 to Cisco Firepower seems to only be routing first-specified remote network

My company has been acquired. The acquiring company would like to establish an IPsec tunnel to their Cisco Firepower unit. They have multiple (five) remote networks, so we're using IKEV2 and specifying a remote network of:

10.0.0.0/8,192.168.50.0/24,192.168.55.0/24,172.16.0.0/16,172.17.0.0/16

The tunnel starts, but only the first-specified remote network (10.0.0.0/8) routes. So on my side, I can get through to his 10.0.0.0/8, but not any of the others.

I've asked him to try changing the order, but only the first specified works.

Any thoughts?
12-10-2019, 09:17 AM
cgallery

Bump, any ideas on this? Do we need to add routes because they don't get added automatically, or anything like that?

Has anyone used IKEV2 on an Untangle to another device/brand?
12-11-2019, 12:09 PM
cgallery

I have a little more information in case someone is reading this and it is helpful.

First, I don't have access to the Cisco Firepower router on their end. They don't want to give me any access.

BUT, he reconfigured the tunnel with IKEV1 and a remote network of 10.0.0.0/8. Interestingly, devices behind my Untangle router can access his 10.50.10.0/24, but cannot access his 10.10.10.0/24.

I told him I thought it was unlikely the Untangle would favor 10.50.10.0/24 out of such an enormous 10.0.0.0/8 range, but he says it is likely because his appliance on his end has a local address on the 10.50.10.0/24 network.

I've done a few traceroutes to 10.10.10.0/24 devices and can see that they hit the Untangle's address and then nothing. I'd think that if the Untangle wasn't loading them onto the tunnel, that the traceroutes would show them going out via the WAN port. For example, if I traceroute 192.168.20.1, you can see it exit via the WAN (doesn't go any further obviously).

So my suspicion is that the packets from me to his 10.10.10.0/24 ARE in fact going out over the tunnel but that his Cisco Firepower device is the culprit. But he says Cisco did a capture and they can't see any traffic to his Cisco via the tunnel, other than 10.50.10.0/24 traffic.

Is there some way I can ssh into the Untangle and get better diagnostic information about a tunnel? I'd sure like to be able to ping an address and see Untangle show me that it is sending it over the tunnel.
12-11-2019, 02:23 PM
sky-knight

No need for SSH, config -> network -> Troubleshooting -> packet test

But, I'll bet the issue is on your Untangle. If he set his remote network to 10.0.0.0/8, but YOU didn't update the remote address range on your IPSec tunnel to the same, your Untangle doesn't have the correct route for the second IP range. I'll bet if you look your remote address range is set to 10.50.10.0/24.

Also 10.0.0.0/8 is HUGE, if you're using any 10. anythings in your network anywhere, that's going to interfere.
12-11-2019, 02:37 PM
cgallery

Quote:

Originally Posted by sky-knight

No need for SSH, config -> network -> Troubleshooting -> packet test

But, I'll bet the issue is on your Untangle. If he set his remote network to 10.0.0.0/8, but YOU didn't update the remote address range on your IPSec tunnel to the same, your Untangle doesn't have the correct route for the second IP range. I'll bet if you look your remote address range is set to 10.50.10.0/24.

Also 10.0.0.0/8 is HUGE, if you're using any 10. anythings in your network anywhere, that's going to interfere.

Thanks, but nope, the Remote Address on the Untangle IS set to 10.0.0.0/8. And HE is the one doing this, he has access to the Untangle.

And I've now verified that if I ping w/ 16k packets to his 10.10.10.15, the "Out Bytes" shown on the Untangle reporting screen represent the correct amount of traffic, while "In Bytes" barely budges. So I know I'm loading the tunnel.

I think there is something wrong on his side, but I don't know for sure. He has access to the Untangle and his Cisco Firepower, I only have access to the Untangle. But I'm trying to be helpful.

We don't have anything local on 10.0.0.0/8, he has a few because they've acquired different companies. Makes sense, I guess.

His Cisco Firepower's local address is on the same 10.50.10.0/24 network that we CAN ping. I'm guessing the Cisco is dropping all traffic coming from this tunnel that isn't destined for 10.50.10.0/24.
12-11-2019, 06:03 PM
sky-knight

Well, if the far side range is set for 10.0.0.0/8 on Untangle, that means that anything destined for 10.anything will go over the tunnel. So yeah, I don't see how Untangle can be the misconfigured device here. But, routes can do strange things sometimes.
12-11-2019, 06:36 PM
cgallery

Quote:

Originally Posted by sky-knight

Well, if the far side range is set for 10.0.0.0/8 on Untangle, that means that anything destined for 10.anything will go over the tunnel. So yeah, I don't see how Untangle can be the misconfigured device here. But, routes can do strange things sometimes.

I did some more work tonight w/ the Packet Test feature and can certainly see traffic I'm generating via pings, hitting the tunnel. But no replies.

I had thought maybe these networks are all just sites connected to this Cisco Firepower via tunnels, and whether anything had been done on the Cisco to "connect" them.

But in talking to the gentleman configuring the Cisco, it sounds like this is already working from other sites.

It would be interesting to see the running config, but I don't think that is going to happen.