How crypto ACL are matched?

Well, i'm sorry for this simple question, but I can't get any answer. The following text concerns IOS-based devices only, I'm not sure about ASA, PIX, etc.

For example, we have 2 endpoints and a simple site-to-site crypto-map-based IPSEC VPN tunnel. And if ACL's do not mirror/reflect each other on these endpoints, SPI would not be generated and no traffic is passed. Even if subnet mask doesn't match (/8 instead of /24 for simplicity or /20 instead of /24 for summarization and less-effort configuration - 1 ACE instead 4 ACE's) - we get troubles and no traffic is passed. I do not even mention the case, when we are precise in our ACL with protos and dst_ports and other side has just a 'permit ip'-ACL entry. This traffic pattern has no chance to be passed through the tunnel. I've searched hard, but never found the actual REQUIREMENT these 'crypto acl's' have to match. Can anyone explain the nature of this, please? I made couple debugs and my guess is the following - somehow endpoints negotiate local and remote ident (ident - is a term derived from 'sh crypro ipsec sa') and check them on match. But how this is implemented? Can anyone explain?

And one question more - i guess this 'mirror reflection check' is not implemented, when IPSEC VPN is deployed by using Tunnel-interfaces and tunnel protection. Right?


Before this day, i thought that the magic happens like this:

siteA: permit ip host host

siteB: permit ip host

If siteB's host tries to send some traffic to it will be placed on the tunnel, but when siteA will decrypt the packet, the packet will be discarded. But this is wrong. No SPI would be generated in this case and no traffic passed. Actually, my world is ruined 8)

Sign In or Register to comment.