12-01-2023 02:09 PM
Hi Everyone.
This is actually my first post here. I'm just experimenting with IPsec and dynamic IPs, and while everything works fine, there is something I cannot understand. In the diagram below you see three networks. The VPCs can talk to each other over the tunnel which gets created as traffic is generated. I have added a rule in to the middle router (R2), that blocks traffic between the networks, just to see what would happen. For example:
deny ip 172.16.0.0 0.0.0.255 10.10.10.8 0.0.0.3
deny icmp 172.16.0.0 0.0.0.255 10.10.10.8 0.0.0.3
I was expecting that nothing would happen since the traffic is encrypted in ESP. Not sure why this is happening?
Thanks.
Solved! Go to Solution.
12-01-2023 02:23 PM
Any acl end with deny any any
So your acl deny esp traffic between two site.
You need to add permit ip any any or permit udp 50 or permit udp 4500(for ipsec over NAT).
MHM
12-01-2023 02:23 PM
Any acl end with deny any any
So your acl deny esp traffic between two site.
You need to add permit ip any any or permit udp 50 or permit udp 4500(for ipsec over NAT).
MHM
12-01-2023 02:34 PM
Of course! How could I have forgotten that! This bugged me for a long time. Thank you.
12-01-2023 02:37 PM
Dont worry
All face same issue some time.
Have a nice weekend
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide