Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ipsec isakmp access-lists for traffic to encrypt and security?

Unanswered Question
Jan 17th, 2002
User Badges:

I am working on setting up a vpn connection point-to-point.

the encryption is working.

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key gemplus address


crypto ipsec transform-set g_tran ah-sha-hmac esp-3des


crypto map g_map 10 ipsec-isakmp

set peer

set transform-set g_tran

match address 151


interface Serial0/0:0

ip address

ip access-group 120 in

no cdp enable

crypto map g_map

ip route

The access-lists I have defined are:

access-list 120 permit ahp any any

access-list 120 permit esp any any

access-list 120 permit udp any eq isakmp any eq isakmp

access-list 151 permit ip host host

the config is the same in reverse at the other router end.

when I ping from to I get no reply. I have defined the encryption access to the interface and the crypto map to the access-list to define what is being encrypted.

I can only get it working when I define on the interface non encrypted ip traffic between and

Note: Config modified for security resons so please ignore spelling mistakes.

thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bseddik Tue, 01/22/2002 - 14:35
User Badges:

Especially with Ipsec, (it seems that) the acl 120 is applied twice on the s0/0:0

- first, it is applied to the inbound uncrypted


- second, it is applied again after decrypting.

The solution is to complete the acl 120 for the permitted encrypted traffic.



This Discussion