https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995137#M1107866 <P>***Policy based vpn (using acl) have one status&nbsp;</P> <P>Ipsec is active or not</P> <P>This need as I mention before ping from lan to lan to make ipsec active&nbsp;</P> <P>***route-based vpn&nbsp;</P> <P>This have two status&nbsp;</P> <P>Tunnel is up or down</P> <P>Ipsec ove this tunnel is active or not</P> <P>&nbsp;</P> <P>Here tunnel status depend on reachability of tunnel destination&nbsp; if not reachable then it down</P> <P>And about ipsec&nbsp;</P> <P>As you mention we can use static or igp to direct traffic through tunnel</P> <P>If we use static and we dont use keepalive then ipsec is not active and we need ping to make it active&nbsp;</P> <P>If we use igp then ipsec is active since the tunnel need ipsec to protect the igp packet between two end&nbsp;</P> <P>MHM</P> Fri, 12 Jan 2024 11:56:35 GMT MHM Cisco World 2024-01-12T11:56:35Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994423#M1107811 <P>Hello</P><P>i have a question&nbsp;</P><P><STRONG>how Opening ipsec tunnel flow?&nbsp; and what are the steps ?</STRONG></P><P>&nbsp;</P><P><STRONG>Thanks</STRONG></P> Thu, 11 Jan 2024 15:21:19 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994423#M1107811 dhikra-marghli8 2024-01-11T15:21:19Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994449#M1107814 <P>I dont full get your Q&nbsp;</P> <P>But we ping from lan to lan to make ipsec tunnel up.</P> <P>MHM</P> Thu, 11 Jan 2024 15:47:05 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994449#M1107814 MHM Cisco World 2024-01-11T15:47:05Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994454#M1107816 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1651856">@dhikra-marghli8</a> to establish an IPSec VPN - if using a policy based VPN you need to generate interesting traffic from an IP address defined in the crypto ACL, this should then establish the VPN. If using a route based VPN then the tunnel should automatically be established.</P> Thu, 11 Jan 2024 15:53:11 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994454#M1107816 Rob Ingram 2024-01-11T15:53:11Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994481#M1107821 <P>its all depends what VPN we are discussion here, you need to put more information here to address correctly</P> <P>as <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a> mentioned - you need intiate the traffic for the traffic flow end to end.</P> <P>adding other note, if you using ASA you can use packet tracer also i guess.</P> <P>&nbsp;</P> Thu, 11 Jan 2024 16:19:48 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994481#M1107821 balaji.bandi 2024-01-11T16:19:48Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994503#M1107827 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1651856">@dhikra-marghli8</a>&nbsp;</P><P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp; summarize perfectlu.</P><P>In policy-based VPNs, the tunnel is established based on defined policies. The initiation of the VPN tunnel is triggered by interesting traffic that matches the criteria specified in the crypto ACL. This traffic is then encrypted and sent through the VPN tunnel.</P><P>On the other hand, in route-based VPNs, the tunnel is typically always up, and it's associated with specific routes rather than traffic characteristics. This means that any traffic destined for the specified remote networks will automatically be directed through the established VPN tunnel. Route-based VPNs often use tunnel interfaces and are more flexible in handling various types of traffic.</P><P>&nbsp;</P> Thu, 11 Jan 2024 16:45:33 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4994503#M1107827 M02@rt37 2024-01-11T16:45:33Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995119#M1107864 <P><SPAN>first question : <STRONG>route-based VPNs&nbsp; what's mean ?</STRONG>&nbsp; &nbsp;</SPAN></P><P><SPAN>we use route statique ou&nbsp;we will use routing protocols to open a flow between two networks ?? or GRE&nbsp;</SPAN></P><P><SPAN>second question :</SPAN></P><P><SPAN>policy-based VPNs&nbsp; means tunnel ipsec use policy firewall ? to open a&nbsp;flow ?</SPAN></P><P>&nbsp;</P><P><SPAN>i wait a reply&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P>&nbsp;</P> Fri, 12 Jan 2024 11:30:07 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995119#M1107864 dhikra-marghli8 2024-01-12T11:30:07Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995131#M1107865 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1651856">@dhikra-marghli8</a>&nbsp;</P><P>In a route-based VPN, the establishment of the VPN connection is based on the routing table. This means that the decision to send traffic through the VPN tunnel is made based on the destination address of the packet and the entries in the routing table.<BR />Route-based VPNs use routes or policies to determine which traffic should be encrypted and sent through the VPN tunnel. This can involve static routes or dynamic routing protocols.<BR />GRE can be used in conjunction with route-based VPNs to create a tunnel, but the actual routing decisions are made based on the routing table.</P><P>In a policy-based VPN, the decision to encrypt and send traffic through the VPN tunnel is based on specific policies or rules configured on the firewall.<BR />IPsec, a commonly used protocol for VPNs, is often associated with policy-based VPNs. The policies define which traffic should be protected and how it should be protected (encryption parameters, authentication, etc.).<BR />These policies are often tied to specific criteria such as source/destination IP addresses, protocols, or application types.</P><P>&nbsp;</P> Fri, 12 Jan 2024 11:48:08 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995131#M1107865 M02@rt37 2024-01-12T11:48:08Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995137#M1107866 <P>***Policy based vpn (using acl) have one status&nbsp;</P> <P>Ipsec is active or not</P> <P>This need as I mention before ping from lan to lan to make ipsec active&nbsp;</P> <P>***route-based vpn&nbsp;</P> <P>This have two status&nbsp;</P> <P>Tunnel is up or down</P> <P>Ipsec ove this tunnel is active or not</P> <P>&nbsp;</P> <P>Here tunnel status depend on reachability of tunnel destination&nbsp; if not reachable then it down</P> <P>And about ipsec&nbsp;</P> <P>As you mention we can use static or igp to direct traffic through tunnel</P> <P>If we use static and we dont use keepalive then ipsec is not active and we need ping to make it active&nbsp;</P> <P>If we use igp then ipsec is active since the tunnel need ipsec to protect the igp packet between two end&nbsp;</P> <P>MHM</P> Fri, 12 Jan 2024 11:56:35 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995137#M1107866 MHM Cisco World 2024-01-12T11:56:35Z https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995140#M1107867 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1651856">@dhikra-marghli8</a>&nbsp;</P><P>Côté FortiGate voilà une documentation intéressante:</P><P><A href="https://community.fortinet.com/t5/FortiGate/Technical-Tip-Route-based-VPN-can-establish-an-IPsec-tunnel-with/ta-p/246669" target="_blank">https://community.fortinet.com/t5/FortiGate/Technical-Tip-Route-based-VPN-can-establish-an-IPsec-tunnel-with/ta-p/246669</A></P> Fri, 12 Jan 2024 12:06:48 GMT https://community.cisco.com/t5/network-security/opening-ipsec-tunnel-flow/m-p/4995140#M1107867 M02@rt37 2024-01-12T12:06:48Z