CSM_IPSEC_ACL customization within CSM

Nicolas Horchower · ‎12-03-2010

Hello,

I need to encapsulate a L2TPv3 tunnel in a crypto session. Without CSM, I just need to add

permit 115 host HOST-A host HOST-B

in the CSM_IPSEC_ACL related to the hosts in charge of the crypto link.

But this ACL is 100% managed by CSM, so it recreates a new one each time I push a config.

I tried to create flex prepend to remove my settings, and flex append to recreate it, but CSM makes its checks before prepend. So it works the first time and the second, CSM create a new ACL.

Any idea to force CSM to accept my current settings (and let it continue to manage the VPNs) ?

PS: I'm using CSM 3.3.1 sp2

Thanks,

NH

Stefano De Crescenzo · ‎12-08-2010

Hi Nicolas,

can you be a bit more specific on what CSM is trying to do? Maybe sending the delta with some explanation would work

Stefano

Nicolas Horchower · ‎12-09-2010

Hello Stefano,

By default CSM auto generate this kind of ACL for the static crypto :

ip access-list extended CSM_IPSEC_ACL_2
permit gre host SOURCE host DEST

used by

crypto map CSM_CME_GigabitEthernet0/2.210 1 ipsec-isakmp
description Provisioned by CSM: Peer device = DEST
set peer DEST
set transform-set CSM_TS_1
match address CSM_IPSEC_ACL_2

I would like to add this in the ACL:

permit 115 host SOURCE host DEST

to also allow L2TPv3 to be encrypted too.

But as soon as I redeploy after a modification, CSM re-create a new ACL.

regards,

NH

Panos Kampanakis · ‎12-09-2010

The ACLs with the underscores are CSM generated and cannot be changed (with or without Flex config).

Why can't you go change the crypto ACL in the appropriate CSM field?

PK

Nicolas Horchower · ‎12-13-2010

Hello,

I wasn't able to find this one. It looks to be auto-generated.

For instance, NAT ACL can be modified, but I haven't found a way to modify this IPSEC one.

Any idea ?

Regards,

NH