Hi,
I am a little confused.
As I know when you do a Router to Router VPN you have to apply an access-list to the terminating Interface to allow the traffic from the remote side in:
192.168.1.0 - e0-Router 1-e1 - Internet - e1-Router 2-e0 - 192.168.2.0So for the VPN to work you have to permit Traffic from 192.168.2.0 in on Router1's e1 interface because after the packets are decrypted the access-list is checked. This gives you some more security when you ony want to permit traffic to specific Ports from the remote side.
Recently I installed a VPN with Cisco 836 and IOS 12.3(11)YK1 and noticed, that the behavior has changed. I did not allow any traffic besides isakmp, ipsec and icmp on the ouside Interface and all traffic from the remote network was able to pass to my network over the vpn connection.
Did they remove the additional check after decrypting the packet?
Jens