Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
3
Replies

Exclude addresses from encryption

elise.lucas
Level 1
Level 1

‎08-09-2012 02:57 AM - edited ‎03-04-2019 05:13 PM

Hello


I've configured encryption between site A and site B as followed:

On site A, this my configuration. As you can see, all traffic going through the interface Gi0/2/1 is encrypted.

crypto ipsec transform-set MyProfile-Trans esp-aes 256 esp-sha-hmac
!
crypto ipsec profile MyProfile

     set transform-set MyProfile-Trans

interface Tunnel110

description *** Tunnel to SITE B ***

bandwidth 1000000

ip address 171.0.103.1 255.255.255.252

tunnel source GigabitEthernet0/2/1

tunnel mode ipsec ipv4

tunnel destination 171.0.98.146

tunnel protection ipsec profile MyProfile

interface GigabitEthernet0/2/1

description *** Interface to SITE B ***

ip address 171.0.98.41 255.255.255.252

ip ospf hello-interval 5

I would like now to exclude some addresses from this tunnel. What is the best way to do so?

Thank you

Elise

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎08-09-2012 03:03 AM

You can use policy-based-routing (PBR) to route some traffic a different way:

http://www.cisco.com/en/US/partner/products/ps6599/products_white_paper09186a00800a4409.shtml#wp14033

http://www.cisco.com/en/US/partner/docs/ios/12_2/ip/configuration/guide/1cfindep.html#wp1001398

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

elise.lucas
Level 1
Level 1
In response to Karsten Iwen

‎08-09-2012 05:53 AM

Hello

Thank you for your answer.


Is there no other possibility than a PBR?

I've seen something like:

crypto ipsec profile name

match acl-name transform-set transform-set-name


But this "match" command is not accepted by my router: do you know why?

Thank you

0 Helpful

Karsten Iwen
VIP
VIP
In response to elise.lucas

‎08-09-2012 06:39 AM

Where have you seen that statement? I'm not aware of that command in that place.

But anyhow it would be the wrong place to achieve your goal.

What addresses do you want to exclude? Specific sources or specific destination-addresses.

For sources, there is only PBR. For destination-addresses you can tweak your routing-protocol to anounce more specific host-routes on the preferred way.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents