Crypto ACL

On 9 May 2007 12:36:40 -0700, snipped-for-privacy@tiscali.co.uk wrote for the entire planet to see:

Because the crypto ACLs are used by the crypto code to determine what tunnels are in use. If you could select on other attributes besides IP range, you could potentially attempt to have different traffic accepted into different tunnels, even though the destination IP address might be the same, which would cause some problems at the routing layer. I really think those ACLs are just used when the SA is being established, not on a per-packet basis.

You can, I believe, filter traffic to/from a VPN or tunnel using additional access lists applied to an interface.

- Eric

you may specify protocol / ports but you have to take care to use the mirrored acl at the other side too. however you should consider that if some traffic between the two hosts does not match the acl, it will go through (if not denied in an other acl) unencrypted. eg. you permit only udp port xxx. if the destination host doesn't listen on this port, it will generate an ICMP unreachable which will not be encrypted and it might contain a portion of the original packet.

It's up to you to decide on whether you prefer these packets to go out unencrypted or reach the other end and handled by the hosts or intermediate access-group (not crypto) acls also each permit statement in an acl represents a different SA I think. I've seen a few times one SA of the same VPN to get stuck while another to work properly. I think it will be a difficult issue to debug.

I would suggest "permit ip" acls for the crypto and filter at another layer (which can be "stateful" also ).

Regards, John

Port settings in a Crypto ACL will be ignored.

HTH Martin