Monday, June 20, 2011

Cisco IOS - Basic IPSec Site-to-Site VPN

This is the basic configuration needed to bring up an IPSec tunnel between (2) IOS routers (This was done on a pair of 2801's)

Please keep in mind that the names used do not have to match on both side's.

R1


crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key c1sco address 10.1.12.2

crypto ipsec transform-set shelby esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
 set peer 10.1.12.2
 set transform-set shelby
 match address 100

interface Serial0/3/0
 ip address 10.1.12.1 255.255.255.0
 clock rate 64000
 crypto map CMAP



interface Loopback0
 ip address 1.1.1.1 255.255.255.255


ip route 2.2.2.0 255.255.255.0 10.1.12.2

access-list 100 permit ip host 1.1.1.1 host 2.2.2.2

r1#ping 2.2.2.2 source lo0

Packet sent with a source address of 1.1.1.1
!!!!!

r1#show crypto session  
     
Crypto session current status

Interface: Serial0/3/0
Session status: UP-ACTIVE  
Peer: 10.1.12.2 port 500
  IKE SA: local 10.1.12.1/500 remote 10.1.12.2/500 Active
  IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2
        Active SAs: 2, origin: crypto map

*************

R2

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key c1sco address 10.1.12.1

crypto ipsec transform-set shelby esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
 set peer 10.1.12.1
 set transform-set shelby
 match address 100

interface Loopback0
 ip address 2.2.2.2 255.255.255.255

interface Serial0/3/0
 ip address 10.1.12.2 255.255.255.0
 crypto map CMAP

ip route 1.1.1.0 255.255.255.0 10.1.12.1

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
Posted by at

1 comment:

  1. AnonymousMarch 26, 2012 at 7:14 AM

    Thanks a lot dude... It really helped me during an emergency.

    ReplyDelete

Subscribe to: Post Comments (Atom)