Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GETVPN question

Hello,

I have a couple of routers that are members of the same GETVPN group

and share the same network on which traffic is encrypted (same WAN network).

My access list from key server permits encryption for everything except eigrp

and ssh.

If I ping one router (his WAN interface) from other router (also his WAN interface,

same subnet) will this ping be encrypted?

List from key server would say yes but I don't know if this goes also for router originating

traffic (from interface on which I have crypto map).

Thanks,

Zoran

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

GETVPN question

Zoran,

Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).

In theory almost everything hits crypto on the way out :-)

Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.

M.

3 REPLIES
Cisco Employee

GETVPN question

Zoran,

Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).

In theory almost everything hits crypto on the way out :-)

Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.

M.

New Member

GETVPN question

Marcin,

thank you very much for your answer. I've done "debug ip packet" and they are

encrypted so everything is like you said but I wanted to double check, especially

because I've heard from some colleagues that it should not be encrypted.

Cheers,

Zoran

Cisco Employee

GETVPN question

Zoran,

Consider we need to add explicity deny for routing protocols (not only multicast based, but also unicast) in GETVPN encryption ACL - all routing protocols are considered originating from the box (the ones with "router ...." statment on the box).

Marcin

517
Views
0
Helpful
3
Replies
CreatePlease login to create content