IKEv2 Remote Access VPN: How to narrow default local traffic selector 0.0.0.0/0?

yuri.volkov · ‎10-20-2017

There is a Cisco ASR1001 router with FlexVPN IKEv2 remote access server configured:

aaa authentication login VPN-IKEv2 group FreeRADIUS
!
crypto ikev2 profile VPN-IKEv2
 match identity remote address 0.0.0.0
 identity local fqdn vpn.domain.local
 authentication remote eap query-identity
 authentication local rsa-sig
 pki trustpoint VPN-CA
 aaa authentication eap VPN-IKEv2
 aaa authorization user eap cached
 aaa accounting eap VPN-IKEv2
 virtual-template 1
!
crypto ipsec transform-set VPN-IKEv2 esp-aes 256 esp-sha-hmac 
 mode tunnel
!    
crypto ipsec profile VPN-IKEv2
 set transform-set VPN-IKEv2 
 set ikev2-profile VPN-IKEv2
!
interface Virtual-Template1 type tunnel
 vrf forwarding WAN
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-IKEv2
!

FreeRADIUS configuration:

vpn_user  Cleartext-Password := "vpn_password"
                Cisco-AVPair = "ipsec:dns-servers=x.x.x.x y.y.y.y",
                Framed-IP-Address = "10.10.0.10"

When user connects, all his traffic gets encrypted and sent over IPsec tunnel because of local traffic selector 0.0.0.0/0:

asr1001#show crypto ikev2 session 
 IPv4 Crypto IKEv2 Session 

Session-id:58, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         x.x.x.x/4500   y.y.y.y/44910   none/WAN             READY  
      Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: EAP
      Life/Active Time: 86400/7 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 10.10.0.10/0 - 10.10.0.10/65535
          ESP spi in/out: 0xF48211CB/0xDA881E9B  

Session-id:43, Status:UP-ACTIVE, IKE count:1, CHILD count:1

On Windows it could be fixed by clearing the check-box "Use default gateway on remote network". But there is no such check-box on GNOME/Linux and Android. And Apple devices could not connect at all.

Is it possible configure traffic selector 10.0.0.0/8 instead of 0.0.0.0/0?

Rob Ingram · ‎10-20-2017

How about you configuration a local authorisation policy to push down the routes to the client?

yuri.volkov · ‎10-20-2017

Do you mean route-set <standard-access-list>?

Rob Ingram · ‎10-20-2017

Yes you can use that command. I use the commands below successfully on my router (although not exactly the same configuration as yours, I see no reason why it would not work with some tweaks).

crypto ikev2 profile IKEV2_PROFILE
aaa authorization group cert list default IKEV2_AUTHZ

crypto ikev2 authorization policy IKEV2_AUTHZ
route set remote ipv4 192.168.10.0 255.255.255.0
route set remote ipv4 192.168.11.0 255.255.255.0

yuri.volkov · ‎10-21-2017

Curiously, but I have option local instead of remote:

asr1001(config)#crypto ikev2 authorization policy VPN-IKEv2
asr1001(config-ikev2-author-policy)#route set ?
  access-list  Specify the route access-list
  interface    Specify the route interface
  local        Specify route set local parameters

asr1001(config-ikev2-author-policy)#

And with the following configuration I could not connect at all:

crypto ikev2 authorization policy VPN-IKEv2
 route set local ipv4 10.0.0.0 255.0.0.0

crypto ikev2 profile VPN-IKEv2
 ...
 aaa authentication eap VPN-IKEv2
 aaa authorization user eap cached
 aaa authorization user eap list VPN-IKEv2
 ...

Rob Ingram · ‎10-21-2017

You should be able to use either "route set access-list" or "route set remote" commands to push down routes to a client. What version of firmware does your ASR1K currently use? I've checked my ISR1921 and CSR1000v and the "route set remote" command is available on both.

yuri.volkov · ‎10-21-2017

IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)

Cisco ASR1001, License Level: adventerprise

Rob Ingram · ‎10-21-2017

As you have the option to use an access-list have you tried that?

I notice you aren't running the latest firmware version, can you upgrade?....and see if the option for remote is now available? These commands are working on the images I use, but I am running the latest firmware version there.