07-29-2015 07:33 PM - edited 03-05-2019 01:58 AM
Hi, Group,
Is there a fundamental difference in using the following encryption domains in crypto map configurations:
ip access-list extended encdom-custA
permit ip host 10.1.1.4 host 192.168.4.1
permit ip host 10.1.1.5 host 192.168.4.1
and
ip access-list extended encdom-custA-alternate
permit ip 10.1.1.4 0.0.0.1 host 192.168.4.1
Do both sides have to use summarized/wildcard masked values or do either work?
thanks in advance,
tim
Solved! Go to Solution.
07-30-2015 03:48 AM
Hi Tim,
The Crypto ACL doesnt have to be exact mirror; below are my findings
R4
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test123 address 155.1.45.5
crypto ipsec transform-set DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 155.1.45.5
set security-association lifetime seconds 28800
set transform-set DES-MD5
match address 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R5
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test123 address 155.1.45.4
crypto ipsec transform-set DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 155.1.45.4
set security-association lifetime seconds 28800
set transform-set DES-MD5
match address 101
access-list 101 permit ip host 192.168.2.1 host 192.168.1.1
Show outputs
R4
R4#show crypto ipsec sa
interface: Ethernet0/0.45
Crypto map tag: VPN, local addr 155.1.45.4
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer 155.1.45.5 port 500
PERMIT, flags={}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
R5
R5#show crypto ipsec sa
interface: Ethernet0/0.45
Crypto map tag: VPN, local addr 155.1.45.5
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
current_peer 155.1.45.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
So you can see from above output that ACL's weren't the same on both the sides but it matched a portion and IPsec SA was created and was able to pass the traffic.
Hope this helps
Hitesh
Pls rate useful posts
07-30-2015 03:48 AM
Hi Tim,
The Crypto ACL doesnt have to be exact mirror; below are my findings
R4
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test123 address 155.1.45.5
crypto ipsec transform-set DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 155.1.45.5
set security-association lifetime seconds 28800
set transform-set DES-MD5
match address 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R5
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test123 address 155.1.45.4
crypto ipsec transform-set DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 155.1.45.4
set security-association lifetime seconds 28800
set transform-set DES-MD5
match address 101
access-list 101 permit ip host 192.168.2.1 host 192.168.1.1
Show outputs
R4
R4#show crypto ipsec sa
interface: Ethernet0/0.45
Crypto map tag: VPN, local addr 155.1.45.4
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer 155.1.45.5 port 500
PERMIT, flags={}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
R5
R5#show crypto ipsec sa
interface: Ethernet0/0.45
Crypto map tag: VPN, local addr 155.1.45.5
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
current_peer 155.1.45.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
So you can see from above output that ACL's weren't the same on both the sides but it matched a portion and IPsec SA was created and was able to pass the traffic.
Hope this helps
Hitesh
Pls rate useful posts
07-30-2015 10:12 AM
Hitesh,
That does help.. I've typically always done mirrored encryption domains to avoid unintended consequences.
--tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide