04-14-2003 07:00 AM - edited 03-09-2019 02:53 AM
Access List For IPSec allowed traffic.
I was recently setting up a VPN between two sites and I came accross the following problem:
I wanted to setup a VPN for only 2 workstations from site A to a Class C network to site B
So I created an access-list as follows:
access-list 101 permit IP host 192.168.0.1 192.168.1.0 0.0.0.255
access-list 101 permit IP host 192.168.0.2 192.168.1.0 0.0.0.255
When I applied the above access-list to the crypto map (match address 101), I soon realized that only the first host (192.168.0.1) was successfully beeing encrypted while the second one could not. I was geeting errors on ipsec debugging saying that traffic to 192.168.0.2 are denyed by access-list.
When I changed the above access-list to the following
access-list 101 permit IP 192.168.0.1 0.0.0.255 192.168.1.0 0.0.0.255
both workstations could successfully be encrypted through IPSec tunnel.
By looking further into it I realised that only the first entry of the IPsec access-list was actually tested for matching traffic!!
Is this a normal behaviour or a known Bug??? Any workarounds to this problem?
Regards.
Solved! Go to Solution.
04-15-2003 02:12 AM
if you have ipsec-manual crypto map in crypto ACL you can specify just one ACE entry. Check 12.2 docs:
Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry and subsequent entries are ignored. In other words, the security associations established by that particular crypto map entry are only for a single data flow. To be able to support multiple manually established security associations for different kinds of traffic, define multiple crypto access lists, and then apply each one to a separate ipsec-manual crypto map entry. Each access list should include one permit statement defining what traffic to protect.
04-14-2003 12:02 PM
Hi,
your original ACL should also work, make sure that you dont have any other crypto map ... overlapping with the ACL.
check other access-lists on the router interfaces.
Thx
Afaq
04-15-2003 02:12 AM
if you have ipsec-manual crypto map in crypto ACL you can specify just one ACE entry. Check 12.2 docs:
Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry and subsequent entries are ignored. In other words, the security associations established by that particular crypto map entry are only for a single data flow. To be able to support multiple manually established security associations for different kinds of traffic, define multiple crypto access lists, and then apply each one to a separate ipsec-manual crypto map entry. Each access list should include one permit statement defining what traffic to protect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide