Modifying ACL for interesting traffic, does it require me to clear ipsec sa

Unanswered Question
Apr 15th, 2009

I already have a VPN tunnel setup - I would like to add another subnet to the interesting traffic. Once I add the IP / subnet to the ACL for interesting traffic - do I have restart any negotiations between VPN peers?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 04/15/2009 - 09:44

Each individual entry in your crypto map acl for interesting traffic creates a separate ipsec sa (2 actuallu as ipsec sa's are unidirectional).

So no you should not have to clear the existing ipsec sa.


tiki_turtle Wed, 04/15/2009 - 09:46

Thanks Jon - I remember reading that they were unidirectional...but was not aware that each entry creates a seperate sa...


This Discussion