Solved: Router rules blocking encrypted traffic(IPsec)

Sargon007 · ‎12-01-2023

Hi Everyone.

This is actually my first post here. I'm just experimenting with IPsec and dynamic IPs, and while everything works fine, there is something I cannot understand. In the diagram below you see three networks. The VPCs can talk to each other over the tunnel which gets created as traffic is generated. I have added a rule in to the middle router (R2), that blocks traffic between the networks, just to see what would happen. For example:

deny ip 172.16.0.0 0.0.0.255 10.10.10.8 0.0.0.3
deny icmp 172.16.0.0 0.0.0.255 10.10.10.8 0.0.0.3

I was expecting that nothing would happen since the traffic is encrypted in ESP. Not sure why this is happening?

Thanks.

MHM Cisco World · ‎12-01-2023

Any acl end with deny any any

So your acl deny esp traffic between two site.

You need to add permit ip any any or permit udp 50 or permit udp 4500(for ipsec over NAT).

MHM

View solution in original post

MHM Cisco World · ‎12-01-2023

Any acl end with deny any any

So your acl deny esp traffic between two site.

You need to add permit ip any any or permit udp 50 or permit udp 4500(for ipsec over NAT).

MHM

Sargon007 · ‎12-01-2023

Of course! How could I have forgotten that! This bugged me for a long time. Thank you.

MHM Cisco World · ‎12-01-2023

Dont worry

All face same issue some time.

Have a nice weekend

MHM