IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 12-01-2016 7:53 AM by curiousone. 0 replies.
Page 1 of 1 (1 items)
Sort Posts: Previous Next
  • 12-01-2016 7:53 AM

    How crypto ACL are matched?

    Well, i'm sorry for this simple question, but I can't get any answer. The following text concerns IOS-based devices only, I'm not sure about ASA, PIX, etc.

    For example, we have 2 endpoints and a simple site-to-site crypto-map-based IPSEC VPN tunnel. And if ACL's do not mirror/reflect each other on these endpoints, SPI would not be generated and no traffic is passed. Even if subnet mask doesn't match (/8 instead of /24 for simplicity or /20 instead of /24 for summarization and less-effort configuration - 1 ACE instead 4 ACE's) - we get troubles and no traffic is passed. I do not even mention the case, when we are precise in our ACL with protos and dst_ports and other side has just a 'permit ip'-ACL entry. This traffic pattern has no chance to be passed through the tunnel. I've searched hard, but never found the actual REQUIREMENT these 'crypto acl's' have to match. Can anyone explain the nature of this, please? I made couple debugs and my guess is the following - somehow endpoints negotiate local and remote ident (ident - is a term derived from 'sh crypro ipsec sa') and check them on match. But how this is implemented? Can anyone explain?

    And one question more - i guess this 'mirror reflection check' is not implemented, when IPSEC VPN is deployed by using Tunnel-interfaces and tunnel protection. Right?


    Before this day, i thought that the magic happens like this:

    siteA: permit ip host host

    siteB: permit ip host

    If siteB's host tries to send some traffic to it will be placed on the tunnel, but when siteA will decrypt the packet, the packet will be discarded. But this is wrong. No SPI would be generated in this case and no traffic passed. Actually, my world is ruined 8)

    • Post Points: 5
Page 1 of 1 (1 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved