Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
1
Replies

Trouble with ACL for ipsec

crazyman143
Level 1
Level 1

‎06-18-2015 11:01 AM - edited ‎03-05-2019 01:41 AM

Hi, hope I'm asking in the right place. In packet tracer I'm trying to demonstrate an ipsec vpn tunnel. I'm having trouble with the ACL that is used with the crypto map match statement. Suppose I have 2 routers, connected via 11.0.0.0/30 network. Each router has a local network (192.168.0.0/24, 192.168.1.0/24)

With my current configs, I cannot ping from one local network to the other. If I change both "VPNOK" acls to permit ip any any, then it will work. Could someone tell me what is wrong with the ACL? would it be more secure to specify each local network in the acl, rather than 'any any'? 

 

thank you


RA:

hostname RA
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool Local
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key mykey address 11.0.0.2
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransformset esp-aes esp-sha-hmac
!
crypto map mymap 100 ipsec-isakmp 
 set peer 11.0.0.2
 set pfs group2
 set security-association lifetime seconds 86400
 set transform-set mytransformset 
 match address VPNOK
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 11.0.0.1 255.255.255.252
 crypto map mymap
!
ip route 192.168.0.0 255.255.255.0 11.0.0.2 
!
ip access-list extended VPNOK
 permit ip 192.168.0.0 0.0.0.255 any

RB:

hostname RB
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool Local
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp key mykey address 11.0.0.1
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransformset esp-aes esp-sha-hmac
!
crypto map mymap 100 ipsec-isakmp 
 set peer 11.0.0.1
 set pfs group2
 set security-association lifetime seconds 86400
 set transform-set mytransformset 
 match address VPNOK
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/1
 ip address 11.0.0.2 255.255.255.252
 crypto map mymap
!
ip route 192.168.0.0 255.255.255.0 11.0.0.1 
!
ip access-list extended VPNOK
 permit ip 192.168.1.0 0.0.0.255 any

 

Labels:
0 Helpful
1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

‎06-18-2015 01:08 PM

Hi,

The rule is that  crypto ACLs aka Proxy-ids should be mirrored on each side so you have to put  192.168.1.0 to 192.168.2.0 on one side and 192.168.2.0 to 192.168.1.0 on the other side or any to any on both sides like you did.But best practice is to specify the specific subnets.

 

Regards,

 

Alain

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card