Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
10
Helpful
4
Replies

Incoming traffic is not encrypted

Go to solution
Mozambique
Level 1
Level 1

‎01-18-2021 02:04 AM - edited ‎03-24-2022 12:23 AM

 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Mozambique

‎01-18-2021 04:49 AM

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

View solution in original post

4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-18-2021 03:00 AM

Hello @Mozambique ,

can you provide the configuation of ACL 120 ?

you should avoid to use the any keyword in this ACL.

 

please note that your IPSec peer is  45.3.2.1  and the unencrypted packet is received from source 68.2.112.74,

This should be legitimate un-encrypted traffic.

 

Hope to help

Giuseppe

 

Go to solution
Mozambique
Level 1
Level 1
In response to Giuseppe Larosa

‎01-18-2021 03:21 AM - edited ‎03-24-2022 04:50 AM

/

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Mozambique

‎01-18-2021 04:49 AM

Hello @Mozambique ,

you have to write the ACL 120 from the point of view of internal traffic.

In other words it should describe traffic from an internal LAN IP subnet to a remote LAN IP subnet reachable via the the IPSec peer.

example:

You local LAN is 192.168.10.0/24   and the remote network LAN is 192.168.50.0/24

access-list 120 becomes:

access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255

 

You are configuring a LAN to LAN IPSEC VPN and ACL 120 defines the interesting traffic to be encrypted.

 

This is why any should never be used in an ACL used fo this purpose otherwise your router would expect to receive only encrypted traffic.

 

note:

on remote side the ACL has to be the mirror of the local one:

access-list 121 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

The ACL is written for traffic to be sent so the the source is the local LAN subnet and the destination is the remote peer's LAN subnet.

 

Hope to help

Giuseppe

 

Go to solution
Mozambique
Level 1
Level 1
In response to Giuseppe Larosa

‎01-18-2021 08:58 AM

Thank you very much @Giuseppe Larosa 

If I'll have a chance, I'll try that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card