Site to Site VPN Config on a Cisco Router

Config isakmp (IKE) – (ISAKMP PHASE 1):
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400

Config Pre-Shared Key – PSK:
R1(config)# crypto isakmp key firewallcx address

  1. Create IPSec Transform (ISAKMP PHASE 2 POLICY):
    R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
    R1(cfg-crypto-trans)#mode tunnel (by default it is tunnel mode so don’t have to specify)
  2. Create extended ACL (Interesting Traffic):
    R1(config)# ip access-list extended VPN-TRAFFIC
    R1(config-ext-nacl)# permit ip
  3. Create Crypto Map:
    R1(config)# crypto map CMAP 10 ipsec-isakmp
    R1(config-crypto-map)# set peer
    R1(config-crypto-map)# set transform-set TS
    R1(config-crypto-map)# match address VPN-TRAFFIC
    R1(config-crypto-map)# set pfs group 2
  4. Apply crypto map to the public interface:
    R1(config)# interface FastEthernet0/1
    R1(config- if)# crypto map CMAP

Verification Commands:
show run | section crypto
show crypto isakmp policy
show crypto map
show crypto isakmp sa
show crypto ipsec sa
show crypto isakmp sa detail
show crypto ipsec sa detail
show crypto engine connections active
debug crypto isakmp
debug crypto ipsec

Note: Limitations of IPsec Tunnel with Crypto maps is that we can not use Dynamic Routing Protocols over the tunnel so use GRE tunnel.

Note: ESP (Encapsulating Security Payload) is protocol 50 and GRE (Generic Route Encryption) is protocol 47.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: