Arnold sent me an excellent question yesterday; he bought my Deploying Zone-Based Firewalls book, but found no sample configurations using IPSec VPN. I was able to find a few sample configurations on CCO, but none of them included the self zone. The truly interesting bit of the puzzle is the traffic being received or sent by the router (everything else is self-explanatory if you’ve read my book), so those configurations are not of great help.
Realizing that this is a bigger can of worms than I’ve expected, I immediately fixed the slides in my Choose the Optimal VPN Service webinar, which now includes the security models for GRE, VTI and DMVPN-based VPN services.
Until I have time to develop and publish comprehensive (and tested) configurations, use these rules to develop your zone-to-self policies:
- You have to use access lists to classify traffic being sent or received by the router (you need access lists anyway, as the match protocol command cannot match ESP, GRE or OSPF).
- You have to define two zone-pairs: self-to-zone and zone-to-self.
- When using IPSec, the traffic to/from public IP infrastructure has to include esp, isakmp (UDP port 500) and non500-isakmp. ICMP and a few other things (for example, SSH to the router) are also highly advisable.
- When using GRE tunnels without IPSec, the traffic to/from the router has to include gre.