I apologize if this is a duplicate, but I'm having difficulty figuring out how to define interesting traffic on a Cisco router using an IPSec Profile referenced by a tunnel interface.
The old-school way of defining interesting traffic is with a crypto map that you apply to an interface. If the traffic going over that interface matches the access list configured under the crypto map, it's encrypted as its sent across the IPSec tunnel. If not, the traffic can still pass across the interface, just not encrypted.
With the IPSec profile, you configure a tunnel interface to use it as "protection" and depending on the mode you use, it can either be a straight up IPSec tunnel or another type of tunnel (gre) within that IPSec tunnel.
What i want to know is this: Using the IPSec profile, all the traffic going across the tunnel is encrypted. You don't seem to have to option to define interesting traffic via an ACL. How is this working when the other side uses a crypto map with ACL defining interesting traffic? It seems to work, but I don't know why because the ACL should be apart of the phase 2 negotiation.
Best Answer
The phase 2 negotiations for a VTI (Virtual Tunnel Interface,
tunnel mode ipsec ipv4) will offer0/0.0.0.0:0as "local subnet" and accept0/0.0.0.0:0(in extenso: "any protocol, any ip, any port") as "remote subnet" during Phase2 negotiations. If the remote end can cope with that - then there's your tunnel.You should be able to see that by virtue of
show crypto ipsec sa.