09-05-2008 07:16 AM - edited 03-03-2019 11:25 PM
Hello,
I configured a IPSec between a hub-router and some spoke-routers. All things work fine.
My next step is to filter traffic between the sites by ACL's.
One of the ACL's is:
ip access-list extended gre_hub-spoke1
permit gre host 172.31.254.254 host 172.31.254.1
permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255
This ACL matches to the crypto map:
crypto map gre-tunnel 10 ipsec-isakmp
set peer 172.31.254.1
set transform-set myset
match address gre_hub-spoke1
Why is the behavior different than configured?
The "permitted" communication is blocked, other traffic is forwarded.
Thanks and kind regards
Matthias
Solved! Go to Solution.
09-05-2008 07:52 AM
From the Crypto acl:
permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through
permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.
HTH
Saju
Please rate if it helps.
09-05-2008 07:29 AM
Hello,
Do you see IPSEC sa being built for that traffic? Post output of "show crypto ipsec sa". Do you see encrypts/decrypts ?
HTH
Saju
Please rate if it helps
09-05-2008 07:37 AM
09-05-2008 07:52 AM
From the Crypto acl:
permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through
permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.
HTH
Saju
Please rate if it helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: