Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2797
Views
0
Helpful
2
Replies

crypto map access-lists / Problem if more than one entries?

Go to solution
pavlosd
Level 2
Level 2

‎04-14-2003 07:00 AM - edited ‎03-09-2019 02:53 AM

Access List For IPSec allowed traffic.

I was recently setting up a VPN between two sites and I came accross the following problem:

I wanted to setup a VPN for only 2 workstations from site A to a Class C network to site B

So I created an access-list as follows:

access-list 101 permit IP host 192.168.0.1 192.168.1.0 0.0.0.255

access-list 101 permit IP host 192.168.0.2 192.168.1.0 0.0.0.255

When I applied the above access-list to the crypto map (match address 101), I soon realized that only the first host (192.168.0.1) was successfully beeing encrypted while the second one could not. I was geeting errors on ipsec debugging saying that traffic to 192.168.0.2 are denyed by access-list.

When I changed the above access-list to the following

access-list 101 permit IP 192.168.0.1 0.0.0.255 192.168.1.0 0.0.0.255

both workstations could successfully be encrypted through IPSec tunnel.

By looking further into it I realised that only the first entry of the IPsec access-list was actually tested for matching traffic!!

Is this a normal behaviour or a known Bug??? Any workarounds to this problem?

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mdobrucky
Level 1
Level 1

‎04-15-2003 02:12 AM

if you have ipsec-manual crypto map in crypto ACL you can specify just one ACE entry. Check 12.2 docs:

Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry and subsequent entries are ignored. In other words, the security associations established by that particular crypto map entry are only for a single data flow. To be able to support multiple manually established security associations for different kinds of traffic, define multiple crypto access lists, and then apply each one to a separate ipsec-manual crypto map entry. Each access list should include one permit statement defining what traffic to protect.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
afakhan
Level 4
Level 4

‎04-14-2003 12:02 PM

Hi,

your original ACL should also work, make sure that you dont have any other crypto map ... overlapping with the ACL.

check other access-lists on the router interfaces.

Thx

Afaq

0 Helpful

Go to solution
mdobrucky
Level 1
Level 1

‎04-15-2003 02:12 AM

if you have ipsec-manual crypto map in crypto ACL you can specify just one ACE entry. Check 12.2 docs:

Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry and subsequent entries are ignored. In other words, the security associations established by that particular crypto map entry are only for a single data flow. To be able to support multiple manually established security associations for different kinds of traffic, define multiple crypto access lists, and then apply each one to a separate ipsec-manual crypto map entry. Each access list should include one permit statement defining what traffic to protect.

0 Helpful
Customers Also Viewed These Support Documents