ACLs for IPsec Tunnels

When creating site to site IPsec VPNs we need to configure ACLs that define interesting traffic, that is, an ACL that matches to source and destination networks on each side of the link for which traffic should be encrypted and routed via the VPN. This is part of the Phase 2 stage of establishing the IPsec VPN.

Typically these ACLs reference whole networks (i.e., /24) and aren’t used for granular rules such as specifying which hosts can communicate and over which ports and protocols. One reason for this is that the Phase 2 ACL needs to be a mirror image of the ACL at the remote end of the connection and modifications can cause loss of Phase 2 connectivity.

Further, we cannot specify a direction for the interesting traffic ACL.

To enable granular access rules we can define separate ACLs and apply them to the crypto map using the set ip access-group command.

ip access-list extended VPN-Security-In
 remark -- block access to port 80 on 10.1.1.20 --
 deny tcp host 10.1.1.20 eq 80 any
 deny udp host 10.1.1.20 eq 80 any

crypto map VPN 10 ipsec-isakmp
 set ip access-group VPN1-Security-In in

We can verify ACL hits using the usual show ip access-lists VPN-Security-In command.