Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ipsec isakmp access-lists for traffic to encrypt and security?

I am working on setting up a vpn connection point-to-point.

the encryption is working.

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key gemplus address 10.3.162.2

!

crypto ipsec transform-set g_tran ah-sha-hmac esp-3des

!

crypto map g_map 10 ipsec-isakmp

set peer 10.3.162.2

set transform-set g_tran

match address 151

!

interface Serial0/0:0

ip address 10.3.162.1 255.255.255.252

ip access-group 120 in

no cdp enable

crypto map g_map

ip route 192.11.61.105 255.255.255.255 10.3.162.2

The access-lists I have defined are:

access-list 120 permit ahp any any

access-list 120 permit esp any any

access-list 120 permit udp any eq isakmp any eq isakmp

access-list 151 permit ip host 10.30.49.5 host 192.11.61.105

the config is the same in reverse at the other router end.

when I ping from 10.30.49.5 to 192.11.61.105 I get no reply. I have defined the encryption access to the interface and the crypto map to the access-list to define what is being encrypted.

I can only get it working when I define on the interface non encrypted ip traffic between 10.30.49.5 and 192.11.61.105.

Note: Config modified for security resons so please ignore spelling mistakes.

thanks in advance.

1 REPLY
Community Member

Re: ipsec isakmp access-lists for traffic to encrypt and securit

Especially with Ipsec, (it seems that) the acl 120 is applied twice on the s0/0:0

- first, it is applied to the inbound uncrypted

traffic

- second, it is applied again after decrypting.

The solution is to complete the acl 120 for the permitted encrypted traffic.

bye

246
Views
0
Helpful
1
Replies
CreatePlease to create content