CSM_IPSEC_ACL customization within CSM

Unanswered Question
Dec 3rd, 2010

Hello,

I need to encapsulate a L2TPv3 tunnel in a crypto session. Without CSM, I just need to add

permit 115 host HOST-A host HOST-B

in the CSM_IPSEC_ACL related to the hosts in charge of the crypto link.

But this ACL is 100% managed by CSM, so it recreates a new one each time I push a config.

I tried to create flex prepend to remove my settings, and flex append to recreate it, but CSM makes its checks before prepend. So it works the first time and the second, CSM create a new ACL.

Any idea to force CSM to accept my current settings (and let it continue to manage the VPNs) ?

PS: I'm using CSM 3.3.1 sp2

Thanks,

NH

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
sdecresc Wed, 12/08/2010 - 15:04

Hi Nicolas,

can you be a bit more specific on what CSM is trying to do? Maybe sending the delta with some explanation would work

Stefano

plekytouton Thu, 12/09/2010 - 01:49

Hello Stefano,

By default CSM auto generate this kind of ACL for the static crypto :

ip access-list extended CSM_IPSEC_ACL_2
permit gre host SOURCE host DEST

used by

crypto map CSM_CME_GigabitEthernet0/2.210 1 ipsec-isakmp
description Provisioned by CSM: Peer device = DEST
set peer DEST
set transform-set CSM_TS_1
match address CSM_IPSEC_ACL_2

I would like to add this in the ACL:

permit 115 host SOURCE host DEST

to also allow L2TPv3 to be encrypted too.

But as soon as I redeploy after a modification, CSM re-create a new ACL.

regards,

NH

pkampana Thu, 12/09/2010 - 13:43

The ACLs with the underscores are CSM generated and cannot be changed  (with or without Flex config).

Why can't you go change the crypto ACL in the appropriate CSM field?

PK

plekytouton Mon, 12/13/2010 - 01:14

Hello,

I wasn't able to find this one. It looks to be auto-generated.

For instance, NAT ACL can be modified, but I haven't found a way to modify this IPSEC one.

Any idea ?

Regards,

NH

Actions

Login or Register to take actions

This Discussion

Posted December 3, 2010 at 3:21 AM
Stats:
Replies:4 Avg. Rating:
Views:721 Votes:0
Shares:0
Tags: ipsec, vpn, acl, csm, l2tpv3
+

Related Content

Discussions Leaderboard