Solved: IPSEC Crypto map match address is different...

cindylee27 · ‎11-12-2008

Hi Experts,

I wan to check if let's say for this encrpytion as below, will it work if the match address is different access-list?

Is it okay if match address 108 is permit any any? Thanks.

For example, below 10.18.50.1 at Segment A is communicating with 10.18.40.1 at Segment B on this encrpytion traffic.

Router A#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.5

set transform-set NVRS

match address 107

access-list 107 permit ip host 10.18.50.1 host 10.18.40.1

Router B#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.6

set transform-set NVRS

match address 108

access-list 108 permit ip any any

Istvan_Rabai · ‎11-12-2008

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

View solution in original post

Istvan_Rabai · ‎11-12-2008

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

cindylee27 · ‎11-12-2008

Thanks Istvan.

I got it now.. :)

That's is very helpful..

rgds,

cindy.