
[IPSec](/ipsec) [VPN](/vpn)s inherently require bidirectional negotiation ([IKE/ISAKMP phases](/ipsec-why-does-ike-need-two-phases)) to establish a [tunnel](/network-tunneling). However, it is possible to simulate a unidirectional data flow by controlling the allowable traffic in each direction. There are two potential approaches.

## Interesting Traffic with Crypto ACLs

The traffic that should be protected is called [Interesting Traffic](/vpn-interesting-traffic) and can be configured with Crypto ACLs.

On Cisco IOS routers or Cisco ASAs, use crypto [access control lists (ACLs)](/access-list-acl) to define protected traffic. For traffic only from Site A to Site B, configure Site A's ACL to match A→B traffic. Although Site B's mirrored ACL (B→A) is technically required for Phase 2, return traffic can be blocked after decryption using an inbound ACL or firewall policy. The tunnel will establish, but B→A data is dropped.

## Tunnel Interface with Routing Controls

With a Virtual Tunnel Interface (VTI) on IOS routers, implement routing or [static routes](/ip-routing-table-static-route) over the interface. Apply ACLs or [policy-based routing  (PBR)](/pbr-policy-based-routing) to allow traffic only in one direction. This method offers flexibility, treating the tunnel as an L3 interface where [IP addresses](/ipv4), ACLs, routing, and firewall rules can be configured similarly to a physical interface.

While IPSec VPNs need initial bidirectional communication for tunnel setup, these measures help achieve selective data flow direction.

## Links

https://networklessons.com/security/ipsec-internet-protocol-security

https://networklessons.com/security/cisco-ipsec-tunnel-mode-configuration

https://networklessons.com/security/ipsec-static-virtual-tunnel-interface

https://networklessons.com/security/ipsec-vti-virtual-tunnel-interface

Unidirectional Data Flow Over an IPsec VPN

Syslog - logging discriminator

Syslog - terminal monitor

Syslog relay or proxy

Syslog severity levels

Syslog

TCP - Congestion control

TCP - Determining the MSS

TCP - SEQ and ACK values

TCP - Slow start

TCP - Three-way handshake

TCP - Urgent pointer field

TCP - Window Size Scaling

TCP - factors affecting segment size

TCP - role of checksum field

TCP IP Model

TCP MSS and window size

TCP RST flag

TCP SYN timeout

TCP header options

TCP phantom byte

TFTP

Tcl Shell

Telnet

Time to live

Time-based Access List (ACL) on Cisco IOS XR

ToS bits 6 and 7 are Reserved

Token Bucket Burst Behavior in Traffic Shaping

Token Bucket Size Configuration in Traffic Policing

Traceroute - Interpreting output

Traceroute asterisk and !H responses

Traditional Layer 2 Issues in VXLAN Networks

Traffic Shaping and Manually Configuring Bc Values

Traffic Shaping and Queuing with ISP Contracts

Traffic Shaping using Percentage

Transparent Cisco IOS Firewall use cases

Transport Layer port number

Troubleshooting - using Telnet to test transport layer ports

Troubleshooting Route Flapping on Cisco IOS

Troubleshooting a slow network

Troubleshooting high CPU and memory usage on a switch

Type Length Value (TLV)

UDP - Header

UDP - Maximum Datagram Size

UDP Use Cases

UDP's Connectionless Nature

Unicast Reverse Path Forwarding (uRPF)

Unicast traffic

Unknown unicast traffic

Upgrade your R&S skills to modern networking

UplinkFast Dummy Multicast Frames Behavior During Link Recovery

VACL - use cases

VACL Changes to ACL are active immediately

VACL vs ACL

VLAN - Extended Range

VLAN - Native VLAN on a router on a stick

VLAN - Private VLAN

VLAN - QinQ troubleshooting

VLAN - VLAN IDs 0 and 4095

VLAN Mapping

VLAN SVI status

VLAN Tag

VLAN Trunk interfaces missing in show vlan output

VLAN control frames

VLAN

VLANs - 802.1Q tunneling (QinQ)

VLANs - Dynamic VLAN membership (VMPS)

VLANs - QinQ and CDP

VLANs - Vlans allowed and active in management domain

VLANs - when a tagged frame arrives on an access port

VLANs SVI

VMware Configuration Maximums

VMware vSwitch Port Groups and VLAN Configuration

VPN - IKEv2 peer address of 0.0.0.0 0.0.0.0

VPN - Interesting Traffic

VPN - NAT Exemption

VPN - crypto keepalive

VPN - default gateway for site to site VPN

VPN - default gateway of VPN client

VPN - split tunneling

VPN DVTI tunnel source

VRF - Definition mode

VRF - VPNv4 address

VRF Communication and Route Target Configuration

VRF and L2TPv3 Configuration and Interaction

VRF capability vrf-lite command

VRF sharing across multiple routers

VRF use cases

VRRP - Virtual IP doesn't respond to pings

VRRP - load balancing

VRRP - support for authentication

VRRP - using the same ID on different interfaces

VRRP - using the same ID on subinterfaces

VRRP and sub-optimal routing

VRRP on sub-interfaces

VTP - Client can't modify VLANs