IINS Course
IP Sec Site - To - Site VPN
GNS 3 / c2691Topology
ISAKMP Phase - IKE Phase 1
crypto isakmp enable
1. Policy
crypto isakmp policy 10
authentication pre-share
encryption aes 128
group 2
2. Identity
crypto isakmp identity address
3. Key
crypto isakmp key 0 address
IPSec Phase - IKE Phase 2
1. IPSec transform set
crypto ipsec transform-set S2S-VPN-TSET esp-aes esp-sha-hmac
2. IPSEc tunnel lifetime ( optional )
crypto ipsec security-association lifetime seconds < 120-86400 >
3. ACL to ident interesting traffic
ip access-list extended S2S-VPN-TRAF
permit ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255
ip access-list extended S2S-VPN-TRAF
permit ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.0.255
4. Crypto Map
4.1 define traffic match
match address S2S-VPN-TRAF
4.2 define peer's address
set peer 192.168.0.1
set peer 192.168.0.2
4.3 define DH second hanshake (PFS) - optional
4.4 define trasform set
set transform-set S2S-VPN-TSET
5. Assign crypto map to iface
crypto map S2S-CR-MAP
R1#show run | section crypto
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key StrongIpsecPassword address 192.168.0.2
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set S2S-VPN-TSET esp-aes esp-sha-hmac
crypto map S2S-CR-MAP 10 ipsec-isakmp
set peer 192.168.0.2
set transform-set S2S-VPN-TSET
match address S2S-VPN-TRAF
crypto map S2S-CR-MAP
R2#show run | section crypto
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key StrongIpsecPassword address 192.168.0.1
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set S2S-VPN-TSET esp-aes esp-sha-hmac
crypto map S2S-CR-MAP 10 ipsec-isakmp
set peer 192.168.0.1
set transform-set S2S-VPN-TSET
match address S2S-VPN-TRAF
crypto map S2S-CR-MAP
Diagnosing
show crypto isakmp sa
show crypto ipsec sa
