Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ipsec isakmp access-lists for traffic to encrypt and security?

I am working on setting up a vpn connection point-to-point.

the encryption is working.

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key gemplus address


crypto ipsec transform-set g_tran ah-sha-hmac esp-3des


crypto map g_map 10 ipsec-isakmp

set peer

set transform-set g_tran

match address 151


interface Serial0/0:0

ip address

ip access-group 120 in

no cdp enable

crypto map g_map

ip route

The access-lists I have defined are:

access-list 120 permit ahp any any

access-list 120 permit esp any any

access-list 120 permit udp any eq isakmp any eq isakmp

access-list 151 permit ip host host

the config is the same in reverse at the other router end.

when I ping from to I get no reply. I have defined the encryption access to the interface and the crypto map to the access-list to define what is being encrypted.

I can only get it working when I define on the interface non encrypted ip traffic between and

Note: Config modified for security resons so please ignore spelling mistakes.

thanks in advance.

Community Member

Re: ipsec isakmp access-lists for traffic to encrypt and securit

Especially with Ipsec, (it seems that) the acl 120 is applied twice on the s0/0:0

- first, it is applied to the inbound uncrypted


- second, it is applied again after decrypting.

The solution is to complete the acl 120 for the permitted encrypted traffic.


CreatePlease to create content