7/28/2019 Configuracin VPN Site to Site

1/3

Se define la fase 1 de IKE (ISAKMP Policy)

1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9,

because this policy requires a pre-shared key.

Router(config)#crypto isakmp policy 9Router(config-isakmp)#hash md5

Router(config-isakmp)#authentication pre-share

2. Setup the shared key that would be used in the VPN,

Router(config)#crypto isakmp key VPNKEY address XXX.XXX.XXX.XXX

where,

VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the

other end.

XXX.XXX.XXX.XXX the static public IP address of the other end.

3. Now we set lifetime for the IPSec security associations,

Router(config)#crypto ipsec security-association lifetime seconds YYYYY

where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.

4. Configure an extended access-list to define the traffic that is allowed to be directed through the

VPN link,

Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD

WIL.DCA.RDM.ASK

where,

AAA is the access-list number

SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK is the source of the data allowed to use the VPN link.

DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK is the destination of the data that need to pass though theVPN link.

2. Se define la fase 2 de IKE (Transform Set)

5. Define the transformations set that will be used for this VPN connection,

Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC

where,

SETNAME is the name of the transformations set. You can choose any name you like.

7/28/2019 Configuracin VPN Site to Site

2/3

BBBB and CCCCC is the transformation set. I recommend the use of esp-3des esp-md5-hmac. You

can also use esp-3des esp-sha-hmac. Any one of these two will do the job.

6. After defining all the previous things, we need to create a cypto-map that associates the access-

list to the other site and the transform set.

Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp

Router(config-crypto-map)#set peer XXX.XXX.XXX.XXX

Router(config-crypto-map)#set transform-set SETNAME

Router(config-crypto-map)#match address AAA

where,

MAPNAME is a name of your choice to the crypto-map

PRIORITY is the priority of this map over other maps to the same destination. If this is your onlycrypto-map give it any number, for example 10.

XXX.XXX.XXX.XXX the static public IP address of the other end

SETNAME is the name of the transformations set that we configured in step 5

AAA is the number of the access-list that we created to define the traffic in step 4

7. The last step is to bind the crypto-map to the interface that connects the router to the other

end.

Router(config-if)#crypto map MAPNAME

where MAPNAME is the name of the crypto-map that we defined in step 6.

Now, repeat these steps on the other end, and remember to use the same key along with the same

authentication and transform set.

Note: If you want to implement multiple VPN connections to multiple sites (i.e. Hub-and-Spoke topology), you

can do this by repeating the steps 2 to 7 (except step 3) for each VPN connection. The different crypto-maps and

their assignments differentiate between the different VPN connections. Use the same map name for all theconnections to the same interface, and use different priority for each connection.

For troubleshooting purposes, you can use the following commands,

show crypto isakmp sa

show crypto ipsec sa

show crypto engine connections active

and show crypto map

7/28/2019 Configuracin VPN Site to Site

3/3