Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
4
Helpful
3
Replies

EZVPN Access List

persepolis77
Level 1
Level 1

‎06-03-2008 10:20 AM

Hello,

I would like to know the notion of DENY in the ACL of a crypto ezvpn.

Does a deny mean that the traffic will be denied to travers the VPN tunnel, or it means that the traffic will travers the tunnel but it is not encrypted?

Thanks in advance,

Mehdi

Labels:
0 Helpful
3 Replies 3

michael.leblanc
Level 4
Level 4

‎06-03-2008 11:32 AM

A crypto ACL is used to identify traffic that requires crypto treatment.

IPSec traffic is "encapsulated". It is not necessarily "encrypted". It is dependent on the policy you define.

e.g.: You could use Authentication Header (AH) protocol instead of ESP, in which case you would benefit from the "authentication" of data, but no "encryption" would be performed.

Only traffic matching a "permit" statement in the crypto ACL would be "encapsulated", and be considered part of the tunnel.

Traffic matching a "deny" statement in the crypto ACL would bypass the crypto engine, but may be forwarded "outside" the tunnel if a route to the destination address is known, and the address is routable.

A packet with a "private" destination IP address would have trouble traversing the Internet.

persepolis77
Level 1
Level 1
In response to michael.leblanc

‎06-03-2008 12:58 PM

Thanks Michael for the explanation.

Mehdi

0 Helpful

michael.leblanc
Level 4
Level 4
In response to persepolis77

‎06-03-2008 01:00 PM

Your welcome.

0 Helpful
Customers Also Viewed These Support Documents