How do I restrict traffic on a IPSEC tunnel on a router other than using the access-lists that are used to identify which traffic is encryted
On the interface that the crypto is bound to, how is the access-list that controls normal traffic supposed to behave. I have had to modify this access-list to allow VPN traffic to flow. It appears that once the VPN traffic hits the router it is then passed through the access-list on that interface. I find this a little confusing. If I want to allow IP packets from a trusted IP host through the tunnel I don't see why I need to modify the access-list that protects the router from the internet. If someone was to spoof the trusted address this would allow them access.
Once a packet is switched and comes to the crypto interface, it encrypts the traffic and sends. All other packets which are switched to this interface will go as clear text traffic. This is the normal order of IPSec processing. The crypto access-list simply picks up the interesting packets coming to the crypto interface, applies crypto policy and sends it. Hope its clear.
I am more intereting in the process on a packet coming inbound from the a source on the other side of the tunnel.
It appears as if the packet get sdecryted and then is passed back through the normal access-list on the router. Is this normal behavour??
I did some little research on both interface access-list and crypto access-list.
Just want to share some observations for outbound traffic.
1. All traffic which matches the crypto access-list goes through the crypto interface as encrypted traffic regardless of whether an interface access-list allows it or denies it. That is the interface access-list is bypassed.
2. All traffic which doesn't match the crypto access-list goes through the crypto interface as clear text traffic again regardless of whether the interface access-list allows it or denies it.
3. Without any crypto map applied on the interface, the regular interface access-list takes over for traffic filtering.
Think similar situation will be for inbound traffic also. Let me know if you see the same.
Any VPN traffic passes through the ACL configuration in an interface twice. Once before encryption and once after encryption. So you need to permit the VPN related protocols as well as the VPN interesting traffic in your ACL.
The crypto-access-list defines which traffic should be encrypted and decrypted.
The inbound access-list on the interface where the crypto map is bound defines which cleartext and decrypted traffic should be forwarded.
If a packet that matches the crypto-access-list of the bound crypto map is received on the interface in cleartext, the packet is dropped. So spoofing does not bypass the access-list.
Please correct me if I am wrong but you don't require crypto access-list with Dynamic VPN clients. So the question is for those clients you open your inbound ACL to ESP and UDP 500. I am having a similar issue where my VPN client picks the ip address from IP local pool but then my interface inbound ACL doesn't allow that network. I don't want to open my ACL to allow the network of my local pool because someone could spoof it. Any thoughts ?