https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843827#M62099 <HTML><HEAD></HEAD><BODY><P>Zoran, </P><P></P><P>Consider we need to add explicity deny for routing protocols (not only multicast based, but also unicast) in GETVPN encryption ACL - all routing protocols are considered originating from the box (the ones with "router ...." statment on the box).</P><P></P><P>Marcin</P></BODY></HTML> Mon, 16 Jan 2012 10:03:24 GMT Marcin Latosiewicz 2012-01-16T10:03:24Z https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843824#M62096 <P>Hello,</P><P></P><P>I have a couple of routers that are members of the same GETVPN group</P><P>and share the same network on which traffic is encrypted (same WAN network).</P><P></P><P>My access list from key server permits encryption for everything except eigrp</P><P>and ssh.</P><P></P><P>If I ping one router (his WAN interface) from other router (also his WAN interface,</P><P>same subnet) will this ping be encrypted?</P><P></P><P>List from key server would say yes but I don't know if this goes also for router originating</P><P>traffic (from interface on which I have crypto map).</P><P></P><P>Thanks,</P><P>Zoran</P> Sat, 22 Feb 2020 01:49:00 GMT https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843824#M62096 zoran.suica 2020-02-22T01:49:00Z https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843825#M62097 <HTML><HEAD></HEAD><BODY><P>Zoran, </P><P></P><P>Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).</P><P>In theory almost everything hits crypto on the way out :-)</P><P>Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.</P><P></P><P>M.</P></BODY></HTML> Sat, 14 Jan 2012 08:00:03 GMT https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843825#M62097 Marcin Latosiewicz 2012-01-14T08:00:03Z https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843826#M62098 <HTML><HEAD></HEAD><BODY><P>Marcin,</P><P></P><P>thank you very much for your answer. I've done "debug ip packet" and they are</P><P>encrypted so everything is like you said but I wanted to double check, especially</P><P>because I've heard from some colleagues that it should not be encrypted.</P><P></P><P>Cheers,</P><P>Zoran</P></BODY></HTML> Sun, 15 Jan 2012 23:33:17 GMT https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843826#M62098 zoran.suica 2012-01-15T23:33:17Z https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843827#M62099 <HTML><HEAD></HEAD><BODY><P>Zoran, </P><P></P><P>Consider we need to add explicity deny for routing protocols (not only multicast based, but also unicast) in GETVPN encryption ACL - all routing protocols are considered originating from the box (the ones with "router ...." statment on the box).</P><P></P><P>Marcin</P></BODY></HTML> Mon, 16 Jan 2012 10:03:24 GMT https://community.cisco.com/t5/vpn/getvpn-question/m-p/1843827#M62099 Marcin Latosiewicz 2012-01-16T10:03:24Z