Once the IKE Phase 1 tunnel is established, the IKE Phase 2 tunnel parameters are negotiated using the security of the IKE Phase 1 tunnel. The IKE Phase 2 tunnel is synonymous with the IPSec tunnel. All user data that requires the protection of IPSec flows across the IPSec tunnel. As you know, a router can have a lot of routes in its routing table. How does the router determine what traffic receives the security of IPSec and what traffic needs to be forwarded in cleartext? That is where crypto ACLs come into the picture. |