Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN ACL

Hello Everyone!

I am working on the client to setup the site to site VPN tunnel. It is IPSec over GRE with BGP, everything works. Please see the part of my configuration below. But my client wants to setup the access list to restirct the source and dest for the secur purpose. In the IPsec, we can do it, but not sure we can do it on the GRE tunnel. Also, is it necessary to use "tunnel mode ipsec ipve4" Please advise.

Best Regards,

Joe

crypto isakmp policy 20

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto ipsec transform-set vpn-test esp-aes esp-sha-hmac

!

!

crypto ipsec profile ipsec-vpn-file

set transform-set vpn-test

set pfs group2

!

interface Tunnel1

ip address 192.168.10.1 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1396

tunnel source 192.168.20.20

tunnel destination 192.168.10.10

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-vpn-file

!

  • WAN Routing and Switching
2 ACCEPTED SOLUTIONS

Accepted Solutions
Purple

VPN ACL

Hi,

what you are doing now is the VTI configuration which is the newer way of implementing GRE over IPsec and which has a lot of advantages over the oldest way with the crypto map and crypto ACL so I would leave it this way and even if you did the oldest way then you still can't limit the traffic you are going to pass through the tunnel as you're using GRE.

So in both cases you would have to implement filtering with ACL on the tunnel interfaces to achieve your client goal.

Regards.

Alain

Don't forget to rate helpful posts.
Hall of Fame Super Silver

VPN ACL

In the original post Joe asked if it was necessary to use tunnel mode ipsec ipve4. I will answer the question in this way:

- the documentation says that you should use tunnel mode ipsec ipve4 in configuring this feature.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and worked ok.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and did not work until it was added.

- I believe that it is better if you do use it, but sometimes it may work if you do not use it. (I do not like to take chances that way and so I always use it).

If you want to restrict traffic as part of some security policy then you can implement an access list on the tunnel interface. Whether that is inbound or outbound depends on what resources you are trying to protectd and what you want to protect them from. If you want to prevent certain resources inside from getting to certain destinations outside then the access list should be applied outbound. If you want to prevent certain resources outside from accessing certain destinations inside then the access list would be applied inbound.

HTH

Rick

5 REPLIES
Purple

VPN ACL

Hi,

what you are doing now is the VTI configuration which is the newer way of implementing GRE over IPsec and which has a lot of advantages over the oldest way with the crypto map and crypto ACL so I would leave it this way and even if you did the oldest way then you still can't limit the traffic you are going to pass through the tunnel as you're using GRE.

So in both cases you would have to implement filtering with ACL on the tunnel interfaces to achieve your client goal.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: VPN ACL

Thank you so much Alain! This is really helpful. One last thing, want to verify that I need to implement filtering with ACL on the tunnel interface...1)  are they tunnel interface with GRE on the ACL? 2) Where should I apply the ACL on? 3) Which is the newest way to implement IPSec over GRE?

Purple

VPN ACL

Hi,

1) I don't understand what you mean?

2) inbound or outbound on the tunnel interface

3) what you have implemented now that is: tunnel protection with the ipsec profile

Regards.

Alain

Don't forget to rate helpful posts.
Hall of Fame Super Silver

VPN ACL

In the original post Joe asked if it was necessary to use tunnel mode ipsec ipve4. I will answer the question in this way:

- the documentation says that you should use tunnel mode ipsec ipve4 in configuring this feature.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and worked ok.

- I have seen implementations of tunnel protection ipsec profile that did not use tunnel mode ipsec ipve4 and did not work until it was added.

- I believe that it is better if you do use it, but sometimes it may work if you do not use it. (I do not like to take chances that way and so I always use it).

If you want to restrict traffic as part of some security policy then you can implement an access list on the tunnel interface. Whether that is inbound or outbound depends on what resources you are trying to protectd and what you want to protect them from. If you want to prevent certain resources inside from getting to certain destinations outside then the access list should be applied outbound. If you want to prevent certain resources outside from accessing certain destinations inside then the access list would be applied inbound.

HTH

Rick

New Member

Re: VPN ACL

Thank you Rick and Alain! It really helps!

292
Views
0
Helpful
5
Replies