Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IPSEC DES1 VPN Tunnel between two CISCO 2611 router fails if ACL is applied

I have working VPN tunnel between two CISCO2611 routers. For hardening the router security, I have applied CISCO ACL to one of the router’s WAN port. If ACL is applied tunnel doesn’t function and I am not able to ping the inside local IP address.

What are the entries need to be added to the ACL to keep VPN tunnel functional?

When Debug outputs are checked at console following error message being displayed continuously.

ISADB: reaper checking SA, conn_id = 10

Thanks and Regards,

Amit

2 REPLIES
Community Member

Re: IPSEC DES1 VPN Tunnel between two CISCO 2611 router fails if

I assume that the ACL is applied to inbound traffic? If so then you need to make sure that the relevant IPSec protocols are allowed thru the ACL. This could include ESP, AHP and UDP/500 (ISAKMP) and perhaps GRE depending on your tunnel. Also, I have noticed in the past that the inbound ACL gets checked twice, once using the public IP Source/Dest addresses, then again once the public IP headers have been stripped.

For example if you had a 10.1.0.0 net at one siteA and 11.1.0.0 at another siteB and you were using 192.168.1.x as the addressing in between Then the inbound ACL on SiteA router would need to allow ESP/AHP/UDP-500 from SiteB 192.168.1.x host address. Also (assuming traffic flows from a-b) the same ACL would need to allow the 10.1.0.x subnet to the 11.1.0.x range (SiteA-SiteB).

In other words the inbound ACL checks flows from public to public AND private to private(once public headers removed and decrypted)

I had this issue in the past and the above solved it.

Community Member

Re: IPSEC DES1 VPN Tunnel between two CISCO 2611 router fails if

Thanks for your reply.

Where will I get the exact ACL statements? Our scenario is as mentioned below.

Three locations are connected to Internet via CISCO 2611 router. One of the router (A) connects to Router (B) and Router (C) over VPN.

All have internal IP addresses in the 172 range. Since router B servers some important services like DNS, I have applied inbound access list to serial port. This led to disconnection of VPN tunnel between Router A and Router B. If inbound access list is removed on Router B tunnel becomes functional.

As you said I need to allow ESP/AHP/UDP-500 from Site A. Statement should contain internal Private IP address or end point valid IP address of the VPN tunnel?

Thanks once again and waiting for your reply.

Regards,

Amit

324
Views
0
Helpful
2
Replies
CreatePlease to create content