Config isakmp (IKE) – (ISAKMP PHASE 1):
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
Config Pre-Shared Key – PSK:
R1(config)# crypto isakmp key firewallcx address 1.1.1.2
- Create IPSec Transform (ISAKMP PHASE 2 POLICY):
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#mode tunnel (by default it is tunnel mode so don’t have to specify) - Create extended ACL (Interesting Traffic):
R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 - Create Crypto Map:
R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC
R1(config-crypto-map)# set pfs group 2 - Apply crypto map to the public interface:
R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP
Verification Commands:
show run | section crypto
show crypto isakmp policy
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto isakmp sa detail
show crypto ipsec sa detail
show crypto engine connections active
debug crypto isakmp
debug crypto ipsec
Note: Limitations of IPsec Tunnel with Crypto maps is that we can not use Dynamic Routing Protocols over the tunnel so use GRE tunnel.
Note: ESP (Encapsulating Security Payload) is protocol 50 and GRE (Generic Route Encryption) is protocol 47.
Network and CyberSecurity Professional 