×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ipsec isakmp access-lists for traffic to encrypt and security?

Unanswered Question
Jan 17th, 2002
User Badges:

I am working on setting up a vpn connection point-to-point.

the encryption is working.

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key gemplus address 10.3.162.2

!

crypto ipsec transform-set g_tran ah-sha-hmac esp-3des

!

crypto map g_map 10 ipsec-isakmp

set peer 10.3.162.2

set transform-set g_tran

match address 151

!

interface Serial0/0:0

ip address 10.3.162.1 255.255.255.252

ip access-group 120 in

no cdp enable

crypto map g_map

ip route 192.11.61.105 255.255.255.255 10.3.162.2

The access-lists I have defined are:

access-list 120 permit ahp any any

access-list 120 permit esp any any

access-list 120 permit udp any eq isakmp any eq isakmp

access-list 151 permit ip host 10.30.49.5 host 192.11.61.105

the config is the same in reverse at the other router end.

when I ping from 10.30.49.5 to 192.11.61.105 I get no reply. I have defined the encryption access to the interface and the crypto map to the access-list to define what is being encrypted.

I can only get it working when I define on the interface non encrypted ip traffic between 10.30.49.5 and 192.11.61.105.


Note: Config modified for security resons so please ignore spelling mistakes.


thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bseddik Tue, 01/22/2002 - 14:35
User Badges:

Especially with Ipsec, (it seems that) the acl 120 is applied twice on the s0/0:0

- first, it is applied to the inbound uncrypted

traffic

- second, it is applied again after decrypting.


The solution is to complete the acl 120 for the permitted encrypted traffic.


bye


Actions

This Discussion