Hi all,
I'd like to ask you a question about a VPN design using IPSec tunnel. I have an IPSec tunnel already operational and using "permit ip any any" statements on the two IPSec peers. These are the only statements of the crypto access-lists, I want to encrypt absolutely everything that goes through the WAN link. However, I found in this link "http://www.cisco.com/en/US/partner/docs/security/pix/pix50/configuration/guide/ipsec.html#wp7578"
this statement : "The permit any any statement is strongly discouraged, as this will cause all outbound traffic to be protected (and all protected traffic sent to the peer specified in the corresponding crypto map entry) and will require protection for all inbound traffic. Then, all inbound packets that lack IPSec protection will be silently dropped.". I haven't really understood the exact issue about this. Do someone have an example of problematic situation due to this "any any" statement??
I am also wondering about a strange observation I made: I have netflow configured on one of my IPSEC peers ,monitoring the WAN interface with a monitoring tool(solarwinds) and I see that I have trafic not encrypted!! I see UDP,TCP trafic along with ESP tunel. And the non-ESP trafic is not low (30-40% of the whole trafic).I believe that I shouldn't see any UDP/TCP trafic? How could I check directly on the routers what is the trafic not encrypted???
Thanks in advance for your help
brahim