I have configured a IPSEC VPN between 2 routers which are connected through a E1 line. Of course i don't want to encrpyt everything so I've set up a policy to just include certain addresses. Out of that range of addresses I would like to exclude some. So I though that this would work if I would add an access-list deny as first line for the host I want to exclude. What happened is that the router at the remote site sent the packet unencrypted and the local router with the same access-list complained about the packet not being encrypted. What am I doing wrong?
Here is the access list: (very basic as you will see)
access-list 115 deny ip xxx.xx.xxx.x 0.0.0.31 host xxx.xx.xxx.xx
access-list 115 permit ip xxx.xx.xxx.x 0.0.31.255 xxx.xx.xxx.x 0.0.31.255
If someone has an idea, I would appreciate.
Perhaps a different way of thinking about the access list might help. The way that access lists function in VPN to identify traffic to be protected is significantly different from the way that access lists function when applied to an interface as a packet filter. When you apply the access list to an interface you must specify a direction (in or out) and that direction defines what is source and what is destination. But VPN does not assign the access list as in or out. In fact the same access list is used to examine inbound and outbound traffic and the IOS makes appropriate adjustments about what is source and what is destination. So for access list with VPN it may help to think of the addresses in the access list as "local" (source) and "remote" (destination).