Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

EZVPN Access List

Hello,

I would like to know the notion of DENY in the ACL of a crypto ezvpn.

Does a deny mean that the traffic will be denied to travers the VPN tunnel, or it means that the traffic will travers the tunnel but it is not encrypted?

Thanks in advance,

Mehdi

3 REPLIES

Re: EZVPN Access List

A crypto ACL is used to identify traffic that requires crypto treatment.

IPSec traffic is "encapsulated". It is not necessarily "encrypted". It is dependent on the policy you define.

e.g.: You could use Authentication Header (AH) protocol instead of ESP, in which case you would benefit from the "authentication" of data, but no "encryption" would be performed.

Only traffic matching a "permit" statement in the crypto ACL would be "encapsulated", and be considered part of the tunnel.

Traffic matching a "deny" statement in the crypto ACL would bypass the crypto engine, but may be forwarded "outside" the tunnel if a route to the destination address is known, and the address is routable.

A packet with a "private" destination IP address would have trouble traversing the Internet.

Community Member

Re: EZVPN Access List

Thanks Michael for the explanation.

Mehdi

Re: EZVPN Access List

Your welcome.

304
Views
4
Helpful
3
Replies
CreatePlease to create content