01-12-2012 10:24 AM - edited 02-21-2020 05:49 PM
Hello,
I have a couple of routers that are members of the same GETVPN group
and share the same network on which traffic is encrypted (same WAN network).
My access list from key server permits encryption for everything except eigrp
and ssh.
If I ping one router (his WAN interface) from other router (also his WAN interface,
same subnet) will this ping be encrypted?
List from key server would say yes but I don't know if this goes also for router originating
traffic (from interface on which I have crypto map).
Thanks,
Zoran
Solved! Go to Solution.
01-14-2012 12:00 AM
Zoran,
Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).
In theory almost everything hits crypto on the way out :-)
Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.
M.
01-14-2012 12:00 AM
Zoran,
Yes, router originated traffic is also subject to encryption (we only put a silent deny for UDP/848).
In theory almost everything hits crypto on the way out :-)
Have you seen those packets leaking out in clear? A very easy way to see is "debug ip packet" (with ACLs) packets originated from the box will show in debugs by default.
M.
01-15-2012 03:33 PM
Marcin,
thank you very much for your answer. I've done "debug ip packet" and they are
encrypted so everything is like you said but I wanted to double check, especially
because I've heard from some colleagues that it should not be encrypted.
Cheers,
Zoran
01-16-2012 02:03 AM
Zoran,
Consider we need to add explicity deny for routing protocols (not only multicast based, but also unicast) in GETVPN encryption ACL - all routing protocols are considered originating from the box (the ones with "router ...." statment on the box).
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide