IPsec - Certificate Authenticated - Cisco to Cisco - Dynamic IP

subinthomas · ‎04-13-2018

I am creating a VPN from Cisco to Cisco (HO to Branch). Authentication is certificate. HO router with public static IP and Branch is connected with dynamic IP.

HO network is 192.168.10.0/24 and branch is 10.10.10.0/24.

When I setup ACL (for VPN) as a subnet

permit ip 10.10.10.0 0.0.0.15 192.168.10.0 0.0.0.255

everything working good.

But if I used ACL as hosts

permit ip host 10.10.10.1 192.168.10.0 0.0.0.255

permit ip host 10.10.10.2 192.168.10.0 0.0.0.255

connectivity goes down after some time.

Is there any restriction that certificate based VPN can use ACL as subnet only?

Rob Ingram · ‎04-13-2018

Hi,

Are you using DMVPN/FlexVPN?

Can you provide the full config for both the Hub and Spokes?

I assume you are applying this ACL inbound on the WAN interface of the Hub? Are you applying an ACL to the Spokes' aswell?

For testing, at the end of the ACL temporarily add "deny ip any any log", then observe the drops.

You could also run debug crypto isakmp|ikev2 (depending on which version you are running), upload the output here.