<br><font size=2 face="sans-serif">Haven't done IPSEc from a Cisco device
before so I can't really help. But if it's a 6500, I know the netflow gets
exported from the MSFC and the Supervisor separately and maybe you don't
have both encrypted.</font>
<br>
<br><font size=2 face="sans-serif">I hope you can get it going, but if
not you could connect a (cheap) host locally and have it relay the packets
via IPSEC. Actually, what I've had to do is run periodic 'scp' copies from
a local collector back to my main collector when this level of security
was required.</font>
<br>
<br><font size=2 face="sans-serif">Joe<br>
</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"Johannes Herlitz"
<Johannes.Herlitz@satlynx.com></b> </font>
<br><font size=1 face="sans-serif">Sent by: flow-tools-bounces@list.splintered.net</font>
<p><font size=1 face="sans-serif">06/04/2008 08:03 AM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif"><flow-tools@list.splintered.net></font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">[Flow-tools] Encrypt netflow exports
using IPSec?</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2 face="Arial">Hello,</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">This is not a problem directly related to
flow-tools itself, but to Netflow exports from a Cisco router.</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">How can I encrypt the exported UDP datagrams
using IPSec?</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">The idea is simple: configure an IPSec tunnel
between the Cisco router and the Linux box that runs ‘flow-capture’.
I successfully established this tunnel. Just for testing, I configured
a Syslog server (“logging 10.222.1.67”). The syslog UDP datagrams are
encrypted correctly. ICMP echos and echo-replys from the router to the
Netflow-server or vice versa are also encrypted.</font>
<br><font size=2 face="Arial">However, the Cisco router does not encrypt
the Netflow datagrams. This clearly is a Cisco IOS bug for me.</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">Has one of you a solution of how to encrypt
the exported Netflow data?</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">Below is the Cisco configuration.</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">---</font>
<br><font size=2 face="Arial">crypto isakmp policy 10</font>
<br><font size=2 face="Arial"> encr 3des</font>
<br><font size=2 face="Arial"> hash md5 </font>
<br><font size=2 face="Arial"> authentication pre-share</font>
<br><font size=2 face="Arial"> group 2 </font>
<br><font size=2 face="Arial"> lifetime 28800</font>
<br><font size=2 face="Arial">crypto isakmp key linux address 10.222.1.67</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">crypto ipsec transform-set linux esp-3des
esp-md5-hmac </font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">crypto map linux 10 ipsec-isakmp </font>
<br><font size=2 face="Arial"> set peer 10.222.1.67</font>
<br><font size=2 face="Arial"> set security-association lifetime seconds
28800</font>
<br><font size=2 face="Arial"> set transform-set linux </font>
<br><font size=2 face="Arial"> set pfs group2</font>
<br><font size=2 face="Arial"> match address EncryptMe</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">ip access-list extended EncryptMe</font>
<br><font size=2 face="Arial"> permit ip host 10.222.1.40 host 10.222.1.67</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">interface FastEthernet0</font>
<br><font size=2 face="Arial"> ip address 10.222.1.30 255.255.252.0</font>
<br><font size=2 face="Arial"> ip flow ingress</font>
<br><font size=2 face="Arial"> crypto map linux</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">ip flow-export version 5</font>
<br><font size=2 face="Arial">ip flow-export destination 10.222.1.67 9003</font>
<br><font size=2 face="Arial">---</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">I’ve found out the Cisco correctly encrypts
the exported data when using SCTP instead of UDP as the transport protocol.
However, flow-capture does not support SCTP yet. Is there a way to make
flow-capture accept SCTP, maybe with a wrapper around?</font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial"> </font>
<br><font size=2 face="Arial">Cheers,</font>
<br><font size=2 face="Arial">Johannes</font><font size=2><tt>_______________________________________________<br>
Flow-tools mailing list<br>
flow-tools@splintered.net<br>
http://mailman.splintered.net/mailman/listinfo/flow-tools</tt></font>
<br>