crypto map encrypting "any any" traffic and trafic not encrypted??

sagou.brahim · ‎11-28-2007

Hi all,

I'd like to ask you a question about a VPN design using IPSec tunnel. I have an IPSec tunnel already operational and using "permit ip any any" statements on the two IPSec peers. These are the only statements of the crypto access-lists, I want to encrypt absolutely everything that goes through the WAN link. However, I found in this link "http://www.cisco.com/en/US/partner/docs/security/pix/pix50/configuration/guide/ipsec.html#wp7578"

this statement : "The permit any any statement is strongly discouraged, as this will cause all outbound traffic to be protected (and all protected traffic sent to the peer specified in the corresponding crypto map entry) and will require protection for all inbound traffic. Then, all inbound packets that lack IPSec protection will be silently dropped.". I haven't really understood the exact issue about this. Do someone have an example of problematic situation due to this "any any" statement??

I am also wondering about a strange observation I made: I have netflow configured on one of my IPSEC peers ,monitoring the WAN interface with a monitoring tool(solarwinds) and I see that I have trafic not encrypted!! I see UDP,TCP trafic along with ESP tunel. And the non-ESP trafic is not low (30-40% of the whole trafic).I believe that I shouldn't see any UDP/TCP trafic? How could I check directly on the routers what is the trafic not encrypted???

Thanks in advance for your help

brahim

irisrios · ‎12-05-2007

As far as I know IPSEC encryption is for traffic sent by the client on LAN side of the router not for the traffic originated by the router itself. When you use ip any any all traffic going outbound will be protected. It is expected that all inbound traffic(To the router) to be encrypted. Traffic like Routing protocols , ping traffic originated by other router which will not be encrypted will be dropped.