cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1048
Views
10
Helpful
4
Replies

Incoming traffic is not encrypted

Mozambique
Level 1
Level 1
1 Accepted Solution

Accepted Solutions

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

View solution in original post

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @Mozambique ,

can you provide the configuation of ACL 120 ?

you should avoid to use the any keyword in this ACL.

 

please note that your IPSec peer is  45.3.2.1  and the unencrypted packet is received from source 68.2.112.74,

This should be legitimate un-encrypted traffic.

 

Hope to help

Giuseppe

 

/

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

Thank you very much @Giuseppe Larosa 

If I'll have a chance, I'll try that.

Review Cisco Networking for a $25 gift card