Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN and route summarized access-list

I have several VPN connections in my organization.

At one site the PIX VPN was configured by a consultant who created the access-list with a summarized route to my network.

In my configuration, i did not route summarize, instead i allowed access from the remote network to the one subnet on my LAN that they needed access to.

Now when i do a sh crypto ipsec sa, i see a tunnel (with no traffic) for the summarized network and a tunnel (with traffic) for the single subnet.

In the event that the remote pix is rebooted, or they temporarily loose internet connectivity, will this configuration prevent the VPN tunnels from automatically forming correctly?

New Member

Re: VPN and route summarized access-list

From what you are saying, the access-lists on the two encryption devices are not symmetrical (as per Cisco recommendations). This can cause unusual behaviour, but if there is not a requirement for traffic from site A to ever reach any other network at site B other than the subnet that the VPN is presently working correctly for - you'll get away with it.

The crypto sa situation arises in these and other situations and is often caused by disparate access-lists or non-contiguous address ranges or ports. It's a legacy from the RFC indicating that IPSec deals with contiguous address ranges where sa's are concerned.

As a general rule - where multiple sa's are formed in such a situation, the traffic is actually carried in the most specific SA. To avoid confusion, or problems down the track if there is a need to change VPN design, it would probably be wise to tidy up the config.

CreatePlease to create content