EZVPN Access List

Unanswered Question
Jun 3rd, 2008


I would like to know the notion of DENY in the ACL of a crypto ezvpn.

Does a deny mean that the traffic will be denied to travers the VPN tunnel, or it means that the traffic will travers the tunnel but it is not encrypted?

Thanks in advance,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
michael.leblanc Tue, 06/03/2008 - 11:32

A crypto ACL is used to identify traffic that requires crypto treatment.

IPSec traffic is "encapsulated". It is not necessarily "encrypted". It is dependent on the policy you define.

e.g.: You could use Authentication Header (AH) protocol instead of ESP, in which case you would benefit from the "authentication" of data, but no "encryption" would be performed.

Only traffic matching a "permit" statement in the crypto ACL would be "encapsulated", and be considered part of the tunnel.

Traffic matching a "deny" statement in the crypto ACL would bypass the crypto engine, but may be forwarded "outside" the tunnel if a route to the destination address is known, and the address is routable.

A packet with a "private" destination IP address would have trouble traversing the Internet.


This Discussion