Feature restrictions and guidelines

ACL-based IPsec can protect only traffic that is generated by the device and traffic that is destined for the device. You cannot use an ACL-based IPsec tunnel to protect user traffic. In the ACL that is used to identify IPsec protected traffic, ACL rules that match traffic forwarded through the device do not take effect. For example, an ACL-based IPsec tunnel can protect log messages the device sends to a log server, but it cannot protect traffic that is forwarded by the device for two hosts, even if the host-to-host traffic matches an ACL permit rule. For more information about configuring an ACL for IPsec, see "Configuring ACLs."

Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and 50, respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or IPsec configured.