Cisco IOS Site to Site VPN
Five steps to configuring an IPSec Site to Site VPN!
- Configure Phase I – ISAKMP Parameters
- Configure Phase II – ESP Parameters
- Configure the interesting traffic ACL
- Link the above parameters to each other using a Crypto Map
- Apply the Crpyto Map to the outbound interface
Notes:
- Items below between < > are meant to be replaced with a value
- Phase 1 parameters:
- pre shared key: cisco123
- Peer IP: 192.1.23.3
- Phase 1 encryption: 3des
- Phase 1 hash: md5
- Phase 1 group: DH 2
- Phase 2 Transform Name: TSET
- Phase 2 Transform encryption: 3des
- Phase 2 Transform Hash: SHA1
- Source Network: 10.1.1.0/24
- Destination Network: 10.3.3.0/24
- Crypto Map Name: CMAP
- Outbound Interface: FastEthernet 0/0
Let’s dive in!
- Configure Phase I – ISAKMP Parameters
- crypto isakmp key cisco123 address 192.1.23.3
- crypto isakmp policy 10
- auth pre-share
- encryption 3des
- hash md5
- group 2
- Configure Phase II – ESP Parameters
- crypto IPSec transform-set TSET esp-3des esp-sha-hmac
- Configure the interesting traffic ACL
- access-list 101 permit ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.0.255
- Link the above parameters to each other in a crypto map
- crypto map CMAP 10 ipsec-isakmp
- set peer 192.1.23.3
- set transform-set TSET
- Apply the crypto map to the outbound interface
- interface fa0/0
- crypto map CMAP
Repeat on the other side of the tunnel, don’t forget to reverse the source and destination on the ACL!
Verification:
- show crypto isakmp sa – Verifies Phase I
- show crypto ipsec sa – Verifies Phase 2