sysopt connection permit-ipsec.

In article , AM wrote: :I know that command in the subject doesn't affect packet encryption but has only local effects. Could you confirm, please?

?? I am not sure what you are trying to say, but it -looks- to me that you are not correct.

permit-ipsec determines whether packets are processed by interface ACLs -- processed by the interior ACL -before- encapsulation (and NAT) for outgoing packets, and processed by the exterior ACL (-after- decapsulation but before NAT) for incoming packets.

When permit-ipsec is active, outgoing traffic is first specially matched against the crypto ACLs, and if a match occurs then the normal interior interface ACL is skipped. When permit=-ipsec is off, then this special step is not done and outgoing packets are treated normally.

When permit-ipsec is active, incoming packets are decapsulated and then immediately permitted through, skipping the exterior ACL check that would otherwise normally take place after decapsulation.

Now, for incoming packets, it is "already too late" -- the other end has already managed to get the packet to us, and if the packet is rejected by the exterior interface ACL (with permit-ipsec turned off) then that doesn't have any effect on packet encryption.

For outgoing packets, if permit-ipsec is off and a packet fails the interior ACL then it is never handed over to the encryption engine, so that *does* affect packet encryption. It doesn't change what the other end is allowed to try to send towards us, and doesn't change what the Security Associations are, but it -does- change which packets make it as far as encryption. When permit-ipsec is on, any packet that matches a Security Association will be encrypted and transmitted; with it off, a packet that matches a Security Association will be blocked if it does not pass the ACL.