From: leigh.bichard@btinternet.com
Date: Wed Nov 13 2002 - 05:42:10 GMT-3
I am trying to restrict in and out traffic on a public facing VPN interface. I am sure that I should only need to match ESP in the config below but GRE and ISAKMP are getting matched aswell. What concerns me is that some traffic may not be getting encrypted. See the partial config below
crypto isakmp policy 1
authentication pre-share
lifetime 3600
crypto isakmp key 123456 address x.x.x.x
!
!
crypto ipsec transform-set vpn esp-des esp-md5-hmac
!
crypto map vpn_tunnel 10 ipsec-isakmp
set peer x.x.x.x
set transform-set vpn
match address hostx
!
interface Tunnel1
description --- Encrypted Tunnel ---
ip unnumbered Loopback0
tunnel source y.y.y.y
tunnel destination x.x.x.x
crypto map vpn_tunnel
!
interface FastEthernet0/0
description --- External interface ---
ip address y.y.y.y
ip access-group 142 in
ip access-group 143 out
crypto map vpn_tunnel
!
ip access-list extended hostx
permit gre host y.y.y.y host x.x.x.x
!
access-list 142 permit gre host x.x.x.x host y.y.y.y
access-list 142 permit esp host x.x.x.x host y.y.y.y
access-list 142 permit udp host x.x.x.x host y.y.y.y eq isakmp
!
access-list 143 permit gre host y.y.y.y host x.x.x.x
access-list 143 permit esp host y.y.y.y host x.x.x.x
access-list 143 permit udp host y.y.y.y host x.x.x.x eq isakmp
Regards
Leigh
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:58 GMT-3