06-03-2008 10:20 AM
Hello,
I would like to know the notion of DENY in the ACL of a crypto ezvpn.
Does a deny mean that the traffic will be denied to travers the VPN tunnel, or it means that the traffic will travers the tunnel but it is not encrypted?
Thanks in advance,
Mehdi
06-03-2008 11:32 AM
A crypto ACL is used to identify traffic that requires crypto treatment.
IPSec traffic is "encapsulated". It is not necessarily "encrypted". It is dependent on the policy you define.
e.g.: You could use Authentication Header (AH) protocol instead of ESP, in which case you would benefit from the "authentication" of data, but no "encryption" would be performed.
Only traffic matching a "permit" statement in the crypto ACL would be "encapsulated", and be considered part of the tunnel.
Traffic matching a "deny" statement in the crypto ACL would bypass the crypto engine, but may be forwarded "outside" the tunnel if a route to the destination address is known, and the address is routable.
A packet with a "private" destination IP address would have trouble traversing the Internet.
06-03-2008 12:58 PM
Thanks Michael for the explanation.
Mehdi
06-03-2008 01:00 PM
Your welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide