Unable to block IPsec VPN client from accessing Gateway Management Page on 5.15 adapted firmwares
Tested on:
ER8411 1.3.2
ER7206 v2 2.2.3
ER605 v2 2.3.0
I havent tested other types of VPN clients remotely conencted, only IPsec clients (both site-to-site and client-to-site both exhibit this problem
Before the controlelr 5.15 adapted firmwares, you could prevent VPN clients from accessing the Gateway management page of any LAN the gateway has an interface for that the VPN is connected to {VPN Config > Local Networks) by a simple gateway ACL
BLOCK > WAN-IN > TCP > [IP_GROUP OF CLIENTS] > Gateway Management Page
Now, this doesnt work on the latest batch of firmwares. And neither does a more targeted ACL of
BLOCK > WAN-IN > TCP > [IP_GROUP OF CLIENTS] > [IP_PORT_GROUP of Gateway IP 80,443)
Thinking outside the box, i also just tried to block the gateway response back to the remote client
BLOCK > LAN>WAN > TCP > [IP_PORT_GROUP of Gateway IP 80,443) > [IP_GROUP OF CLIENTS]
this also did not work.
It no longer seems possible to actually block access to the gateway IP for remote clients.
Is there any solution to this?
This can be easily tested
- Setup a network as an interface on the router
- Set up an IPsec VPN with the network defined in "Local Networks"
- Connect to the VPN with a remote client.
- Try any method of blocking the gateway management page
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Behavior is verified by the dev. IPsec priority has been improved in this firmware. ACL has a lower priority. This is the reason why this has failed.
Reason or other details are unknown to me. The team will investigate.
I am not able to guarantee a fix or a solution, as this might be an intended or inevitable change. If this is an update, I will bring it to your attention.
- Copy Link
- Report Inappropriate Content
GRL wrote
Thanks for the info.
It would be good if this could be changed so it can be blocked again in the future - for security and audit reasons. Even though a controller adopted gateway has no useful functions if someone were to brute force the password, Im sure im not alone in wanting it blocked.
I can however confirm that any and all other ACL rules controlling VPN connected clients do still work - just the Gateway Management Page doesnt.
Dev confirmed that this happens to certain models. They'll see what they can do with the priority in the future.
- Copy Link
- Report Inappropriate Content
Behavior is verified by the dev. IPsec priority has been improved in this firmware. ACL has a lower priority. This is the reason why this has failed.
Reason or other details are unknown to me. The team will investigate.
I am not able to guarantee a fix or a solution, as this might be an intended or inevitable change. If this is an update, I will bring it to your attention.
- Copy Link
- Report Inappropriate Content
Thanks for the info.
It would be good if this could be changed so it can be blocked again in the future - for security and audit reasons. Even though a controller adopted gateway has no useful functions if someone were to brute force the password, Im sure im not alone in wanting it blocked.
I can however confirm that any and all other ACL rules controlling VPN connected clients do still work - just the Gateway Management Page doesnt.
- Copy Link
- Report Inappropriate Content
GRL wrote
Thanks for the info.
It would be good if this could be changed so it can be blocked again in the future - for security and audit reasons. Even though a controller adopted gateway has no useful functions if someone were to brute force the password, Im sure im not alone in wanting it blocked.
I can however confirm that any and all other ACL rules controlling VPN connected clients do still work - just the Gateway Management Page doesnt.
Dev confirmed that this happens to certain models. They'll see what they can do with the priority in the future.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
I actually have a follow up question on this
With this new priority behaviour, does the following still work?
Adding a WAN-IN Block ACL to Gateway Management page from a Location Group to prevent VPN attacks, brute forcing attempts etc from countries other than those we allow ?
EG:
If i have a lcoation group with all but United KIngdom selected, this would block all non-UK countries attempting to access the VPN
- Copy Link
- Report Inappropriate Content
GRL wrote
I actually have a follow up question on this
With this new priority behaviour, does the following still work?
Adding a WAN-IN Block ACL to Gateway Management page from a Location Group to prevent VPN attacks, brute forcing attempts etc from countries other than those we allow ?
EG:
If i have a lcoation group with all but United KIngdom selected, this would block all non-UK countries attempting to access the VPN
IPsec interface is different from the WAN interface.
The mentioned description in the OP, the traffic, comes from the IPsec interface. I don't think this would affect the regular ACL to block geo IPs.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 224
Replies: 6
Voters 0
No one has voted for it yet.