IPsec VPN tunnels are used to connect to two network over internet and making it secure with Ipsec 1 or 2.
First we will need to configure the ISAKMP policies
Authentication method is used to enure the identity of the Ipsec peers
Encryption method is used to encrypt the data
Hash message authentications codes are used to ensure the identity of the sender
A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm
Example of the ISAKMP policy and you can have maximum of 20 policies per device
Once the ISAKMP policy is created then it needs to be enabled on the outside interface by the following command
“crypto isakmp enable interface-name”
TRANSFORM SETS
IPsec transforms sets are for authentication and encryption for the Ipsec tunnels – you can have multiple transforms sets configured
below is one example
crypto ipsec transform-set “Name” esp-3des esp-md5-hmac – this has to match on both sides of the VPN appliances
ACCESS LIST
You will need to create an access list to match the interesting traffic on both sides
If your local side is 172.16.1.0/24 and the remote side is 172.16.2.0/24 then you access should look something like this
access-list VPN1 extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
You can also create network object-group, if you have more than one subnet
TUNNEL GROUPS
Tunnel groups are set of records that define the VPN policies and authentication servers
below are the steps to create the tunnel group.
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key myvpnkey1234
CRYPTO MAP
Crypto map ties all the policies together like your access-list and other policies – below is the command to tie a VPN peer to the access-list
crypto map map-name seq-num match address access-list-name In the below example "VPN" is the name of the Crypto Map, 1 is sequnce number and VPN1 is the name of the ACLThis will setup the point to point IPsec tunnel on your end you can now test the the new tunnel by initiaing traffic to the other side using ICMP pings and this should bring the tunnel up. Thanks for reading the article Regards H