12-03-2012 01:15 PM
Hello,
I'm trying to find reasons of strange (for me) easy VPN behaviour. I added split tunneling into server configuration and my 1st ACL looks like:
access-list 102 permit ip 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
when I pinged (from source 10.10.10.X) to 20.0.0.20 I saw increasing numbers of encr and decr packets:
#pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38
#pkts decaps: 46, #pkts decrypt: 46, #pkts verify: 46
When I changed my ACL:
access-list 102 permit tcp 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq telnet
I expected only telnet will be pushed into tunnel but I found that ping also increased numbers of encr&decr packets.
Do you know why ? Is it just limitation and I can't split it into different protocols ? I'm confused becaseu client is aware of ACL (protocol tcp and telnet port):
r4#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : VPN
Inside interface list: Ethernet1/0
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 20.0.0.5
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address : 20.0.0.0
Mask : 255.255.255.0
Protocol : 0x6
Source Port: 0
Dest Port : 23
Current EzVPN Peer: 10.0.0.1
regards
Hubert
12-04-2012 01:15 AM
Hubert,
Check what was actually added you your SA DB.
"show crypto ipsec sa | i caps|ident" will give you a nice overview.
M.
12-04-2012 03:00 AM
Hi,
I can't believe what I found:
1) client VPN mode: client
acl ignores destination and protocols, even if ACL looks like below:
access-list 102 permit tcp 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq telnet
the command: "show crypto ipsec sa | i caps|ident" show you protocol and port = 0
"
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
"
b) client VPN mode: network-extension
acl 102 the same:
access-list 102 permit tcp 20.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 eq telnet
but output totally different:
"
local ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/6/23)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/6/0)
"
and in this mode the feature behaves as I expected (only telnet, not ping is pushed into tunnel), but be honest I'm not realy sure why, the different behaviour in two modes isn't documented (or I can't find it)
Thanks
Hubert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide