As the fall equinox quickly approaches us it brings with it the cool fall air and all the wonderful color changing (dying) leaves that us Mainers love so much. It’s the perfect time to grab a cup of joe and discuss some recent issues our customers have been experiencing with sending Cisco NetFlow over an encrypted IPsec Tunnel.

What’s the problem?

There is an issue with Cisco routers running IOS when they’re encrypting packets for transport over VPN tunnels and exporting NetFlow v5. Self generated NetFlow v5 packets from the router DO NOT get encrypted and thus fail to be sent over the tunnel. What you end up with is a Cisco router that’s properly configured for NetFlow v5, but none of the NetFlow packets make it to the NetFlow analyzer. It’s important to understand that this only happens with Cisco routers that are doing both the data encryption and exporting NetFlow v5. Any NetFlow packets that are forwarded to the Cisco router that’s doing the encryption will be properly encrypted and sent over the tunnel.

We’ve found the flows you’re looking for!

The solution to exporting NetFlow over an IPsec tunnel is to switch over to exporting Flexible NetFlow (FnF). By exporting Flexible NetFlow, the Cisco router will then encrypt the self generated NetFlow packets and send them properly over the IPsec tunnel. Below is a basic example of a Flexible NetFlow configuration for a Cisco router:

!
flow exporter export-to-scrutinizer
destination 10.0.0.1
source Loopback0
transport udp 2055
template data timeout 60
!
flow monitor flow-monitor
cache timeout active 60
record netflow-original
exporter export-to-scrutinizer
!
interface FastEthernet0/1
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output
!
interface Vlan1
ip address 10.1.2.1 255.255.255.0
ip flow monitor flow-monitor input
ip flow monitor flow-monitor output
!

If you’ve gone this far and are interested in the benefits of Flexible NetFlow I’d recommend setting up Cisco Flexible NetFlow for NBAR exports.

Paul Dube

Paul Dube is the Director of Technical Services at Plixer. He has a passion for enabling individuals and organizations to use highly complex systems to solve business and personal objectives. This passion for problem solving has Paul working with some of the largest enterprises to solve their security and networking challenges and also educating his young daughters on how to enrich their lives with technology. When he's not working, you will find him enjoying time with his family, cooking something delicious on the Big Green Egg, and enjoying the best brews that the locals have to offer.

Related

Leave a Reply