cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
170
Views
0
Helpful
1
Replies
Highlighted
Beginner

Trouble with ACL for ipsec

Hi, hope I'm asking in the right place. In packet tracer I'm trying to demonstrate an ipsec vpn tunnel. I'm having trouble with the ACL that is used with the crypto map match statement. Suppose I have 2 routers, connected via 11.0.0.0/30 network. Each router has a local network (192.168.0.0/24, 192.168.1.0/24)

With my current configs, I cannot ping from one local network to the other. If I change both "VPNOK" acls to permit ip any any, then it will work. Could someone tell me what is wrong with the ACL? would it be more secure to specify each local network in the acl, rather than 'any any'? 

 

thank you


RA:

hostname RA
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool Local
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key mykey address 11.0.0.2
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransformset esp-aes esp-sha-hmac
!
crypto map mymap 100 ipsec-isakmp 
 set peer 11.0.0.2
 set pfs group2
 set security-association lifetime seconds 86400
 set transform-set mytransformset 
 match address VPNOK
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 11.0.0.1 255.255.255.252
 crypto map mymap
!
ip route 192.168.0.0 255.255.255.0 11.0.0.2 
!
ip access-list extended VPNOK
 permit ip 192.168.0.0 0.0.0.255 any

RB:

hostname RB
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool Local
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key mykey address 11.0.0.1
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransformset esp-aes esp-sha-hmac
!
crypto map mymap 100 ipsec-isakmp 
 set peer 11.0.0.1
 set pfs group2
 set security-association lifetime seconds 86400
 set transform-set mytransformset 
 match address VPNOK
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 11.0.0.2 255.255.255.252
 crypto map mymap
!
ip route 192.168.0.0 255.255.255.0 11.0.0.1 
!
ip access-list extended VPNOK
 permit ip 192.168.1.0 0.0.0.255 any

 

1 REPLY 1
Highlighted
Advisor

Hi,The rule is that  crypto

Hi,

The rule is that  crypto ACLs aka Proxy-ids should be mirrored on each side so you have to put  192.168.1.0 to 192.168.2.0 on one side and 192.168.2.0 to 192.168.1.0 on the other side or any to any on both sides like you did.But best practice is to specify the specific subnets.

 

Regards,

 

Alain

Don't forget to rate helpful posts.