cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1864
Views
0
Helpful
1
Replies

CRYPTO ipsec interesting traffic - need some understanding

Hi Friends ,

I need your help in understanding the way crypto ipsec tunnel works. It is always said that interesting traffic at both the needs to be mirror config. Now my doubt is if i add a host entry of 10.10.10.10/32 at one end and add a network entry of 10.10.10.0/24 at other end , will it work ??? If not y ? as per logic this host 10.10.10.10 has to work am i rite ? Also sometime back i did come accross such senario where some of the IP"S are working and other's done.. after checking the config we came to know that one side it was added as /24 and on other it is /25.

Will ipsec tunnel exchange their interesting traffic ACL acoss each other which phase 2 is coming up?? what if i add the above said   10.10.10.10 stuff in already working tunnel .. Will it cause any problem ?

Waiting for your reply

Thanks & regards,

Kamal                

1 Accepted Solution

Accepted Solutions

randerson
Level 1
Level 1

The simple answer to your question is yes, a /32 entity on one side of the tunnel should work if the network is defined as a /24 on both sides. It is not like a prefix list or dynamic routing protocol where the subnet masks need to match. The network statements in the Phase 2 portion of the IPSEC tunnel (which defines which traffic traverses the tunnel) are defined via ACLs, so as long as the traffic meets the criteria of the ACL then it will pass over the tunnel. Having said that, your phase 2 tunnel should have never been created in your /24 & /25 example because the network statements didn't match - that is odd. Maybe your tunnels matched but you didn't exclude some of the traffic from being NAT'ed?

As you alluded to, however, the phase 2 portions of the tunnel (aka security association) have to be mirror images. If you are using two ASAs then you can simply reverse the ACL source and destination. If you are doing ASA to say, a netscreen, it may be a little more complex depending on if you are doing route or policy based ipsec on that side. If you can not get the /32 device to work for some reason you can also create another security association specific to that traffic.

View solution in original post

1 Reply 1

randerson
Level 1
Level 1

The simple answer to your question is yes, a /32 entity on one side of the tunnel should work if the network is defined as a /24 on both sides. It is not like a prefix list or dynamic routing protocol where the subnet masks need to match. The network statements in the Phase 2 portion of the IPSEC tunnel (which defines which traffic traverses the tunnel) are defined via ACLs, so as long as the traffic meets the criteria of the ACL then it will pass over the tunnel. Having said that, your phase 2 tunnel should have never been created in your /24 & /25 example because the network statements didn't match - that is odd. Maybe your tunnels matched but you didn't exclude some of the traffic from being NAT'ed?

As you alluded to, however, the phase 2 portions of the tunnel (aka security association) have to be mirror images. If you are using two ASAs then you can simply reverse the ACL source and destination. If you are doing ASA to say, a netscreen, it may be a little more complex depending on if you are doing route or policy based ipsec on that side. If you can not get the /32 device to work for some reason you can also create another security association specific to that traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco