Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares

Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares

Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Monday - last edited Yesterday

Tested on:

ER8411 1.3.2

ER7206 v2 2.2.3

ER605 v2 2.3.0

 

I havent tested other types of VPN clients remotely conencted, only IPsec clients (both site-to-site and client-to-site both exhibit this problem

 

Before the controlelr 5.15 adapted firmwares, you could prevent VPN clients from accessing the Gateway management page of any LAN the gateway has an interface for that the VPN is connected to {VPN Config > Local Networks) by a simple gateway ACL

 

BLOCK > WAN-IN > TCP > [IP_GROUP OF CLIENTS] > Gateway Management Page

 

Now, this doesnt work on the latest batch of firmwares.  And neither does a more targeted ACL of

 

BLOCK > WAN-IN > TCP > [IP_GROUP OF CLIENTS] > [IP_PORT_GROUP of Gateway IP 80,443)

 

Thinking outside the box, i also just tried to block the gateway response back to the remote client

BLOCK > LAN>WAN > TCP > [IP_PORT_GROUP of Gateway IP 80,443) > [IP_GROUP OF CLIENTS]

 

this also did not work.

 

It no longer seems possible to actually block access to the gateway IP for remote clients.

 

Is there any solution to this?

 

This can be easily tested

- Setup a network as an interface on the router

- Set up an IPsec VPN with the network defined in "Local Networks"

- Connect to the VPN with a remote client.

- Try any method of blocking the gateway management page

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0      
  0      
#1
Options
2 Accepted Solutions
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares-Solution
Tuesday - last edited Yesterday

  @GRL 

Behavior is verified by the dev. IPsec priority has been improved in this firmware. ACL has a lower priority. This is the reason why this has failed. 

Reason or other details are unknown to me. The team will investigate. 

 

I am not able to guarantee a fix or a solution, as this might be an intended or inevitable change. If this is an update, I will bring it to your attention. 

Recommended Solution
  1  
  1  
#2
Options
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares-Solution
Yesterday - last edited Yesterday

  @GRL 

GRL wrote

  @Clive_A 

 

Thanks for the info.

 

It would be good if this could be changed so it can be blocked again in the future - for security and audit reasons.  Even though a controller adopted gateway has no useful functions if someone were to brute force the password, Im sure im not alone in wanting it blocked. 

 

I can however confirm that any and all other ACL rules controlling VPN connected clients do still work - just the Gateway Management Page doesnt.

Dev confirmed that this happens to certain models. They'll see what they can do with the priority in the future. 

Recommended Solution
  1  
  1  
#4
Options
6 Reply
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares-Solution
Tuesday - last edited Yesterday

  @GRL 

Behavior is verified by the dev. IPsec priority has been improved in this firmware. ACL has a lower priority. This is the reason why this has failed. 

Reason or other details are unknown to me. The team will investigate. 

 

I am not able to guarantee a fix or a solution, as this might be an intended or inevitable change. If this is an update, I will bring it to your attention. 

Recommended Solution
  1  
  1  
#2
Options
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Yesterday - last edited Yesterday

  @Clive_A 

 

Thanks for the info.

 

It would be good if this could be changed so it can be blocked again in the future - for security and audit reasons.  Even though a controller adopted gateway has no useful functions if someone were to brute force the password, Im sure im not alone in wanting it blocked. 

 

I can however confirm that any and all other ACL rules controlling VPN connected clients do still work - just the Gateway Management Page doesnt.

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0  
  0  
#3
Options
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares-Solution
Yesterday - last edited Yesterday

  @GRL 

GRL wrote

  @Clive_A 

 

Thanks for the info.

 

It would be good if this could be changed so it can be blocked again in the future - for security and audit reasons.  Even though a controller adopted gateway has no useful functions if someone were to brute force the password, Im sure im not alone in wanting it blocked. 

 

I can however confirm that any and all other ACL rules controlling VPN connected clients do still work - just the Gateway Management Page doesnt.

Dev confirmed that this happens to certain models. They'll see what they can do with the priority in the future. 

Recommended Solution
  1  
  1  
#4
Options
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Yesterday

  @Clive_A 

 

Thank you 

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0  
  0  
#5
Options
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Yesterday - last edited Yesterday

  @Clive_A 

 

 

I actually have a follow up question on this

 

With this new priority behaviour, does the following still work?

 

Adding a WAN-IN Block ACL to Gateway Management page from a Location Group to prevent VPN attacks, brute forcing attempts etc from countries other than those we allow ?

 

 

EG:

 

If i have a lcoation group with all but United KIngdom selected, this would block all non-UK countries attempting to access the VPN

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300
  0  
  0  
#6
Options
Re:Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Yesterday

  @GRL 

GRL wrote

  @Clive_A 

 

 

I actually have a follow up question on this

 

With this new priority behaviour, does the following still work?

 

Adding a WAN-IN Block ACL to Gateway Management page from a Location Group to prevent VPN attacks, brute forcing attempts etc from countries other than those we allow ?

 

 

EG:

 

If i have a lcoation group with all but United KIngdom selected, this would block all non-UK countries attempting to access the VPN

IPsec interface is different from the WAN interface. 

The mentioned description in the OP, the traffic, comes from the IPsec interface. I don't think this would affect the regular ACL to block geo IPs. 

  1  
  1  
#7
Options