Hi,
first of all I hope the category of this post is somewhat accurate.
Now for my question: I would like to establish an ipsec-isakmp based VPN that only works unidirectional. To iplement the unidirectional aspect of the vpn my first thought was to implement an acl that denies anything and a cbac that inspects esp and udp port 500 traffic. Sadly the cbac options for the inspections don’t support such specific needs. Any ideas how i could achieve that?
Thank you!
Hello Leon
There is no “out of the box” solution for creating a unidirectional IPSec VPN because IPSec inherently requires bidirectional negotiation (IKE/ISAKMP phases) for tunnel establishment. However, there are ways to achieve or “approximate” a unidirectional data flow by carefully controlling which traffic is allowed in each direction. There are several approaches that you can try, and I list some of them below. You will need to see which one fits best with your arrangement, and further explore the details of implementation.
-
Use “Interesting Traffic” (Crypto ACL) to Define One-Way Flows
- On IOS routers or ASAs, each peer has a crypto ACL (the “match address” in the crypto map, or the “traffic selector” in a VTI configuration) that defines which traffic is protected.
- If you want traffic to only flow from Site A to Site B, configure Site A’s ACL to match traffic from A→B. On Site B, you technically still need a mirrored ACL (B→A) for Phase 2 to work, but you can block or drop that return traffic later using an inbound ACL or firewall policy. In practice, the remote side’s ACL can match the same subnets but remain unused if you drop or deny inbound flows on the local side. The tunnel will still be established, but data from B→A will be dropped.
-
Use a Tunnel Interface (VTI) With Routing Controls
- If you configure a Virtual Tunnel Interface (VTI) on IOS routers, you can run routing or static routes over that interface. Then apply ACLs or policy-based routing (PBR) to only forward traffic in one direction.
- This can be more flexible than classic crypto maps because you can use the tunnel as an L3 interface, and configure IP addresses, ACLs, routing, or firewall rules, just like a normal interface.
These are a couple of options that may help you out. Just keep in mind that in order for an IPsec VPN to function, it initially requires bidirectional communication to establish the tunnel itself. Once that’s done you can apply whatever features are necessary to result in your desired behavior. Let us know how you get along so that we can help you further!
I hope this has been helpful!
Laz
Hi Laz,
thank you very much for your reply, using a VTI worked really well to achieve my desired behaviour. So a VPN needs bedirectioal traffic to be established, but are there actually any options to control which of the peers is allowed to initiate the connection.
I really appreciate your help!
Leon
1 Like