Prepare a Router for Site-to-Site VPN using Pre-shared Keys
Step 5 – Ensure ACLs are compatible with IPSec

Existing ACLs on perimeter routers, PIX Security Appliances, or other routers need to be checked to ensure that they do not block IPSec traffic. Perimeter routers typically implement a restrictive security policy with ACLs, where only specific traffic is permitted and all other traffic is denied. Such a restrictive policy blocks IPSec traffic, so specific permit statements need to be added to the ACL to allow IPSec traffic.

Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and AH traffic is not blocked at interfaces used by IPSec. ISAKMP uses UDP port 500. ESP is assigned IP protocol number 50, and AH is assigned IP protocol number 51. In some cases, a statement may need to be added to router ACLs to explicitly permit this traffic. ACL statements may need to be added to the perimeter router by performing the following steps:

Step 1 Examine the current ACL configuration at the perimeter router and determine if it will block IPSec traffic:
RouterA#show access-lists
Step 2 Add ACL entries to permit IPSec traffic. To do this, modify the existing ACL as follows:
  • Copy the existing ACL configuration and paste it into a text editor.
  • Add the ACL entries to the top of the list in the text editor.
  • Delete the existing ACL with the no access-list access-list number command.
  • Enter configuration mode and copy and paste the new ACL into the router.
  • Verify that the ACL is correct with the show access-lists command.
NOTE:

The protocol keyword of esp equals the ESP protocol number 50, the keyword of ahp equals the AH protocol number 51, and the isakmp keyword equals UDP port 500.


Lab Activity

e-Lab Activity: Prepare for IPSec

In this activity, the student will check the current router configuration and ensure the existing access lists on perimeter routers do not block IPSec traffic.

Interactive Media Activity

Demonstration Activity: Prepare for IKE and IPSec

In this activity, complete the necessary steps to prepare for IPSec.