cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6493
Views
0
Helpful
2
Replies
cindylee27
Beginner

IPSEC Crypto map match address is different...

Hi Experts,

I wan to check if let's say for this encrpytion as below, will it work if the match address is different access-list?

Is it okay if match address 108 is permit any any? Thanks.

For example, below 10.18.50.1 at Segment A is communicating with 10.18.40.1 at Segment B on this encrpytion traffic.

Router A#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.5

set transform-set NVRS

match address 107

access-list 107 permit ip host 10.18.50.1 host 10.18.40.1

Router B#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.6

set transform-set NVRS

match address 108

access-list 108 permit ip any any

1 ACCEPTED SOLUTION

Accepted Solutions
Istvan_Rabai
Rising star

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

View solution in original post

2 REPLIES 2
Istvan_Rabai
Rising star

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

Thanks Istvan.

I got it now.. :)

That's is very helpful..

rgds,

cindy.