02-08-2011 03:15 AM
I’ve been playing with IOS 15 Site to site VPN configurations and found a couple of issues, can someone confirm my thinking is correct.
If I configure object-groups (Router IOS not ASA/FWSM/PIX) can I match VPN traffic? When I look at the ipsec SA the SRC and DST is 0.0.0.0/0
However if I use object-groups in a NAT ACL it works fine. Here are some examples...
VPN
object-group network SITEA
192.168.1.0 255.255.255.0
!
object-group network SITEB
192.168.2.0 255.255.255.0
!
ip access-list extended SITEA-SITEB-VPN-ACL
permit ip object-group SITEA object-group SITEB
!
Crypto map VPNMAP ipsec-isakmp
match address SITEA-SITEB-VPN-ACL
~Removed unneeded config
With this config I see the following..
ROUTER#sh cry ipsec sa
interface: Dialer1
Crypto map tag: VPNMAP, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 22, #recv errors 0
Clearly this stops all traffic from passing as it tries to encrypt everything!
However this works...
NAT
object-group network SITEA
192.168.1.0 255.255.255.0
!
object-group network RFC1918
192.168.0.0 255.255.255.0
172.16.0.0 255.240.0.0
10.0.0.0 255.0.0.0
!
ip access-list extended NAT-ACL
deny ip object-group SITEA object-group RFC1918
permit ip object-group SITEA any
!
ip nat inside source list NAT-ACL interface XXXX overload
!
I love object-groups as they really simplify configurations but am I right in thinking they can't be used with Crypto map ACL's???
Any help would be greatly appreciated.
Grev
02-08-2011 05:40 AM
12-10-2012 12:49 AM
Does any one knows, is there any plans to implement this feature? Maybe some new releases has it? Didn't found in CFN.
03-16-2015 01:18 PM
Do not use object-groups in ipsec permit statements. You will notice immediately after applying object-groups to your ipsec statement ACL you will no longer be able to access the outside interface using SSH or other. Also, the tunnel will become unstable or have moments of instability. I recommend using the conventional IP address to IP address standard or extended ACLs.
05-03-2014 09:54 PM
This is being tracked by the enhancement request CSCsq33560.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide