Solved: GETVPN question

zoran.suica · ‎01-12-2012

Hello,

I have a couple of routers that are members of the same GETVPN group

and share the same network on which traffic is encrypted (same WAN network).

My access list from key server permits encryption for everything except eigrp

and ssh.

If I ping one router (his WAN interface) from other router (also his WAN interface,

same subnet) will this ping be encrypted?

List from key server would say yes but I don't know if this goes also for router originating

traffic (from interface on which I have crypto map).

Thanks,

Zoran

Marcin Latosiewicz · ‎01-14-2012

Zoran,

Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).

In theory almost everything hits crypto on the way out :-)

Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.

M.

View solution in original post

Marcin Latosiewicz · ‎01-14-2012

Zoran,

Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).

In theory almost everything hits crypto on the way out :-)

Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.

M.

zoran.suica · ‎01-15-2012

Marcin,

thank you very much for your answer. I've done "debug ip packet" and they are

encrypted so everything is like you said but I wanted to double check, especially

because I've heard from some colleagues that it should not be encrypted.

Cheers,

Zoran

Marcin Latosiewicz · ‎01-16-2012

Zoran,

Consider we need to add explicity deny for routing protocols (not only multicast based, but also unicast) in GETVPN encryption ACL - all routing protocols are considered originating from the box (the ones with "router ...." statment on the box).

Marcin