Hello,
I understand that crypto-map allows you to match the source IPs before routing through the VPN.
Since IPSec static VTI do not provide crypto maps, how do you restrict the type of traffic which can pass through it.
Following is my next question :
Me: 1.1.1.1 - My internal network : 192.168.1.0/24, 192.168.2.0/24
Client: 2.2.2.2 - My client's internal network : 10.0.0.0/8
I want 192.168.1.0/24 to reach 10.0.0.0/8 through the VPN but 192.168.2.0/24 should not be able to access 10.0.0.0/8
How would I do that? A few examples would be good to help me understand this.
crypto keyring equinix-XX-keyring
local-address 1.1.1.1
pre-shared-key address 2.2.2.2 key keypassword
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile equinix-XX-isakmp
keyring equinix-XX-keyring
match identity address 2.2.2.2 255.255.255.255
local-address 1.1.1.1
crypto ipsec transform-set equinix-XX-transform esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile equinix-XX-ipsec
set transform-set equinix-XX-transform
set pfs group2
interface Tunnel1
ip address 169.254.249.38 255.255.255.252
ip tcp adjust-mss 1387
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile equinix-XX-ipsec
ip virtual-reassembly