- Configuring Site-to-Site IPSec VPN on Cisco IOS using a PSK
- Configuring Site-to-Site GRE over IPSec VPN on Cisco IOS
- Configuring Site-to-Site VPN on Cisco IOS using a Self-Signed Certificate
- Configuring Site-to-Site VPN on Cisco IOS using an IOS CA Certificate
- Configuring Site-to-Site SVTI Tunnel on Cisco IOS Using a Wildcard Key
- Configuring Site-to-Site VPN on Cisco IOS Using Aggressive Mode
- Configuring Site-to-Site VPN with Overlapping Subnets on Cisco IOS Using Static NAT (Method 1)
- Configuring Site-to-Site VPN with Overlapping Subnets on Cisco IOS Using Static NAT (Method 2)
- Configuring Site-to-Site VPN on Cisco IOS Using ISAKMP Profiles and Key Rings
- Configuring Site-to-Site VPN on Cisco IOS Using Key Ring and Self-Signed RSA Keys
- Configuring Site-to-Site VPN on Cisco IOS Using Hostname Authentication
- Configuring Site-to-Site VPN on Cisco IOS Using IPv6 and Preshared Keys
- Configuring Site-to-Site VPN on Cisco IOS Using IPv6 and IOS CA Certificates
- Configuring Site-to-Site Stateless Failover VPN on Cisco IOS Using IPSec PSK and HSRP
- Configuring Site-to-Site over VPN through an ASA Firewall on Cisco IOS
- Configuring Site-to-Site over VPN with NAT-T (NAT Traversal) on Cisco IOS
- Configuring Site-to-Site over VPN between an ASA and IOS Router Using IKEv1 with Pre-Shared Key
- Configuring Site-to-Site over VPN between an ASA and IOS Router Using IKEv2 with Pre-Shared Key
- Configuring VPN between an ASA and IOS Router Using IKEv1 with Certificates and Dynamic IP Support
- Configuring VPN on an ASA and IOS Routers Using IKEv1 and Hairpinning Traffic
- Configuring GRE over IPSec on IOS Routers
Configuring Site-to-Site IPSec VPN on Cisco IOS using a PSK
Setting up an IPSec VPN on a Cisco IOS router involves several well-defined steps, broken down into ISAKMP Phase 1 and IPSec Phase 2. Below is a streamlined walkthrough for building a basic site-to-site VPN tunnel using pre-shared key authentication.
Step 1: Configure ISAKMP (IKE Phase 1)
The first phase establishes a secure channel using the Internet Security Association and Key Management Protocol (ISAKMP). This negotiation runs over UDP port 500. Start by creating a policy with encryption and hashing standards:
crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2
Then, specify the shared key and peer IP address:
crypto isakmp key key address x.x.x.x
Step 2: Define IPSec Transform Set (Phase 2)
Phase 2 handles the actual data encryption between endpoints. Here, you define how the data will be protected—using a transform set. This example uses 3DES and MD5 for encryption and hashing:
crypto ipsec transform-set t-set esp-3des esp-md5
Replace t-set with a name of your choice.
Step 3: Identify Interesting Traffic
You need to specify which traffic should be protected by the VPN tunnel. This is done using an access list:
access-list 101 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
The above syntax permits traffic between specified source and destination IP subnets.
Step 4: Create the Crypto Map
A crypto map ties together all VPN components, including peer address, transform set, and traffic ACL. Apply it as follows:
crypto map vpn-map 10 ipsec-isakmp match address 101 set peer x.x.x.x set transform-set t-set
Be sure the name vpn-map and transform set name match those used in earlier steps.
Step 5: Apply the Crypto Map to the Interface
Finally, apply the crypto map to the router’s outgoing interface to activate the tunnel:
interface s0/0 crypto map vpn-map
This ensures that any “interesting traffic” defined by the access list and flowing through this interface is encrypted and protected by the IPSec tunnel.
Configuring Site-to-Site GRE over IPSec VPN on Cisco IOS
When building a site-to-site VPN that also needs to support routing protocols, using GRE over IPSec is a highly effective method. While IPSec provides the security and encryption, GRE (Generic Routing Encapsulation) enables the transport of routing protocol traffic (like OSPF or EIGRP), multicast, and even non-IP traffic across the tunnel.
Step 1: GRE Tunnel Configuration
Begin by creating the tunnel interface, assigning it an internal IP address, and configuring GRE as the tunnel mode:
interface tunnel 0 ip address 192.168.1.1 255.255.255.240 tunnel source 101.1.1.100 tunnel destination 102.1.1.100 tunnel mode gre ip no shut
This establishes a logical GRE tunnel over which your traffic will flow. The tunnel source and tunnel destination should match the physical interfaces or IPs reachable over the internet or internal WAN.
Next, configure routing to share routes across the tunnel. For example, using OSPF:
interface g2 ip ospf 100 area 0
This allows the routers to exchange dynamic routing information through the GRE tunnel.
Step 2: ISAKMP Policy (IKE Phase 1)
Define the IKE Phase 1 parameters using ISAKMP. This sets up the secure channel for negotiation:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Specify the shared key and peer IP address to complete Phase 1:
crypto isakmp key key address tunnel-dest-ip
Step 3: IPSec Transform Set (IKE Phase 2)
Now define how traffic will be encrypted in Phase 2. GRE traffic will be encapsulated by IPSec using this transform set:
crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac mode tunnel
Create a profile to bind the transform set:
crypto ipsec profile vpn-profile set transform-set vpn-set
Step 4: Apply IPSec Protection to the GRE Tunnel
With the GRE tunnel and IPSec configuration in place, apply the IPSec profile to the tunnel interface:
interface tunnel 0 tunnel protection ipsec profile vpn-profile
This command binds the IPSec protection to the GRE tunnel, ensuring all GRE traffic is encrypted and secured across the public or internal network.
Configuring Site-to-Site VPN on Cisco IOS using a Self-Signed Certificate
When you want to secure your VPN connections without relying on a centralized Certificate Authority (CA), self-signed RSA keys offer a practical alternative.
Step 1: Set the Domain Name and Generate RSA Keys
On each router, begin by setting a unique domain name. This domain will be tied to the RSA key identity.
ip domain-name securitydemo.net
Next, generate the RSA key pair with a specified key size (e.g., 1024 bits):
crypto key generate rsa modulus 1024
You can verify the generated key using:
show crypto key mypubkey rsa
Copy the Key Data output; this is the public key you’ll need to import on the remote peer:
Step 2: Manually Exchange and Import Public Keys
On the remote router, you’ll paste the copied key using the following command structure:
crypto key pubkey-chain rsa addressed-key peer-router-ip key-string paste-key-data-here quit
Repeat this process in reverse: copy the public key from the second router and import it back on the first router using the same pubkey-chain command with the appropriate addressed IP.
Verify that both routers have successfully installed the other’s public key:
show crypto key mypubkey rsa
Step 3: Configure ISAKMP with RSA Signature Authentication
Now that both public keys are exchanged, configure the ISAKMP (IKE Phase 1) policy using rsa-sig for authentication:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800 exit
This tells the router to use RSA signatures for peer authentication, rather than pre-shared keys.
Step 4: Define IPSec Parameters (IKE Phase 2)
Set up your transform set and security association lifetime for Phase 2 of the tunnel negotiation:
crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel
crypto ipsec security-association lifetime seconds 1800
Step 5: Specify “Interesting Traffic” and Build Crypto Map
Create an access list to define the traffic that should be encrypted across the VPN tunnel:
access-list 101 permit ip src-subnet src-wildcard dest-subnet dest-wildcard
Now link all components together in a crypto map:
crypto map cm-name 10 ipsec-isakmp set transform-set tset set peer peer-IP match address 101
Apply the crypto map to the outbound-facing interface:
interface g3 crypto map cm-name
Configuring Site-to-Site VPN on Cisco IOS using an IOS CA Certificate
In environments where centralized certificate infrastructure like Microsoft PKI is unavailable, Cisco IOS routers can act as both a Certificate Authority (CA) and a VPN endpoint. This guide walks through configuring a site-to-site VPN using RSA signature authentication, with one router functioning as an IOS-based CA.
Step 1: Time Synchronization is Critical
Before configuring the router as a CA, ensure its clock is synchronized. You can either set the time manually or configure NTP. Inaccurate time settings can cause certificate enrollment or authentication to fail due to invalid or expired timestamps.
Step 2: Set Up the IOS CA
Configure a separate router as the Certificate Authority. Start by generating an RSA key:
crypto key generate rsa general-keys exportable label label-name modulus 1024
Export the key for backup purposes:
crypto key export rsa label-name pem url nvram: 3des passphrase
Enable the HTTP server, which is required for certificate enrollment:
ip http server
Then configure the CA server:
crypto pki server name database level minimum database url nvram: issuer-name cn=name grant auto no shut
Verify the CA is running with:
show crypto pki server
Step 3: Enroll the First Router with the IOS CA
On the first router (VPN endpoint), begin the certificate enrollment process:
crypto pki trustpoint IOS-CA enrollment url http://101.1.1.1
Then authenticate and enroll with the CA:
crypto pki authenticate IOS-CA yes crypto pki enroll IOS-CA
After enrollment, verify that the certificate is successfully installed:
show crypto pki certificates
Step 4: Configure the VPN Using RSA Signatures
Now that the certificate is in place, you can configure the ISAKMP policy to use RSA-based authentication:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800
Set up the IPSec transform set for Phase 2 negotiation:
crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel
Create an IPSec profile to bind the transform set:
crypto ipsec profile pname set transform-set tset
Finally, apply the profile to the tunnel interface:
interface tunnel0 tunnel protection ipsec profile pname
Configuring Site-to-Site SVTI Tunnel on Cisco IOS Using a Wildcard Key
When configuring site-to-site VPN tunnels using Static Virtual Tunnel Interfaces (SVTI), a wildcard pre-shared key can simplify deployments in dynamic environments, particularly when the peer IP address isn’t fixed or known in advance. However, while convenient, wildcard keys should be used with caution due to security implications.
Step 1: Configure the ISAKMP (IKE Phase 1) Policy
The first step is to define the ISAKMP policy that dictates how peers establish the initial secure channel (Phase 1 of the VPN negotiation):
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
This sets the authentication method to pre-shared key, and defines AES for encryption, SHA for hashing, and Diffie-Hellman group 5 for key exchange.
Step 2: Set Up a Wildcard Pre-Shared Key
Using a wildcard key allows any IP address to initiate a VPN connection as long as it presents the correct key. This is done with:
crypto isakmp key key address 0.0.0.0
Note: While this simplifies the configuration, it compromises security by allowing unsolicited connection attempts from any IP address. In production, it’s better to restrict the peer IP where possible.
Step 3: Configure the IPSec Transform Set (IKE Phase 2)
Next, configure how the data will be encrypted and authenticated after the tunnel is established:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel exit
Then, bind the transform set to an IPSec profile:
crypto ipsec profile profile-name set transform-set tset-name exit
The IPSec profile will be attached to the virtual tunnel interface, linking the encryption policy directly to it.
Step 4: Create the Tunnel Interface
Now define the virtual tunnel interface. This interface operates like a standard interface and integrates with routing protocols, enabling secure dynamic routing over the tunnel.
interface tunnel0 ip address x.x.x.x subnet-mask tunnel source x.x.x.x tunnel destination x.x.x.x tunnel mode ipsec ipv4 tunnel protection ipsec profile profile-name
Here, tunnel mode ipsec ipv4 ensures the tunnel uses SVTI rather than GRE. The tunnel protection command applies the IPSec profile, linking the encryption policy to this logical interface.
Configuring Site-to-Site VPN on Cisco IOS Using Aggressive Mode
While Main Mode is the standard for IKE Phase 1 negotiations in most VPN setups, Aggressive Mode offers a faster, three-message exchange that is particularly useful for remote endpoints with dynamic IP addresses or where quicker negotiation is prioritized over identity concealment. It trades off some security and identity protection for speed and flexibility.
Step 1: Configure the ISAKMP Policy
Begin by setting up IKE Phase 1 with encryption, hashing, and group parameters. This phase establishes the secure channel used to negotiate IPSec SAs (Security Associations):
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Then, configure the shared key and aggressive mode-specific commands:
crypto isakmp key key address x.x.x.x set aggressive-mode password password set aggressive-mode client-endpoint ipv4-address x.x.x.x
- set aggressive-mode password is used for identity authentication in aggressive mode.
- set aggressive-mode client-endpoint defines the IP address expected from the remote peer.
Step 2: Define IPSec Transform Set (Phase 2)
Next, configure the IPSec transform set that defines how traffic is protected after the tunnel is up:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac
Optionally, define the lifetime for the security association:
crypto ipsec security-association lifetime seconds 1800
Step 3: Define Interesting Traffic with ACL
You must define which traffic should be encrypted via the VPN tunnel using an access control list (ACL):
access-list 101 permit ip source-subnet wildcard-mask destination-subnet wildcard-mask
This tells the router what traffic is considered “interesting” and should be protected by IPSec.
Step 4: Build and Apply the Crypto Map
Now tie it all together with a crypto map, which binds the peer, transform set, and ACL:
crypto map vpn-map 10 ipsec-isakmp set transform-set tset-name set peer x.x.x.x match address 101
Be sure to apply this crypto map to the outbound-facing interface to activate the tunnel.
Configuring Site-to-Site VPN with Overlapping Subnets on Cisco IOS Using Static NAT (Method 1)
In some VPN deployments, both networks may use identical internal IP ranges, commonly referred to as overlapping subnets. This presents a major challenge because IPSec VPNs don’t natively support duplicate addressing on both sides. One reliable workaround is to use Static NAT translation to “mask” one side’s subnet with a non-overlapping one for VPN routing purposes.
Step 1: Configure NAT on Each Router
Start by identifying and translating the overlapping subnet using a static NAT rule. For example, if both sites use 192.168.101.0/24, you can map one side to a unique translation like 192.168.20.0/24.
interface g2 ip nat inside interface g3 ip nat outside exit ip nat inside source static 192.168.101.0 192.168.20.0/24
This tells the router to translate all traffic from the internal subnet 192.168.101.0/24 to appear as 192.168.20.0/24 when sent over the VPN.
Step 2: Configure the ISAKMP Policy (IKE Phase 1)
Set up the IKE Phase 1 policy to define how peers initiate secure communications:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Then specify the shared key and peer IP:
crypto isakmp key key address x.x.x.x
Step 3: Define the IPSec Transform Set (IKE Phase 2)
Create the transform set that defines how traffic will be encrypted and hashed:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel
You can also define the security association lifetime:
crypto ipsec security-association lifetime seconds 1800
Step 4: Configure the ACL for Interesting Traffic
Now, define which traffic should be encrypted. The access list must reflect the translated subnets, not the original overlapping ones:
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
Make sure this ACL matches traffic after NAT translation on both ends of the tunnel.
Step 5: Build and Apply the Crypto Map
Create and bind the IPSec configuration using a crypto map:
crypto map vpn-map 10 ipsec-isakmp set transform-set tset-name set peer x.x.x.x match address 101
Finally, apply the crypto map to the outbound interface:
interface g3 crypto map vpn-map
Configuring Site-to-Site VPN with Overlapping Subnets on Cisco IOS Using Static NAT (Method 2)
In real-world deployments, particularly during mergers or shared infrastructures, it’s not uncommon for two networks to use the same IP address ranges. This creates a problem for site-to-site IPSec VPNs, which require unique source and destination subnets. Method 2 solves this by using dual NAT (inside and outside source static NAT) on just one router, allowing you to maintain address uniqueness over the tunnel, even when both local and remote subnets overlap.
Step 1: Configure Dual Static NAT on a Single Router
On one of the VPN endpoints, set up both inside and outside source static translations. This effectively “masks” the overlapping local and remote subnets with new, non-overlapping ranges used only for VPN communication.
interface g2 ip nat inside interface g3 ip nat outside exit ip nat inside source static network 192.168.101.0 192.168.10.0/24 ip nat outside source static network 192.168.101.0 192.168.20.0/24
- The first command maps the local overlapping subnet (192.168.101.0/24) to 192.168.10.0/24 for outbound VPN traffic.
- The second command rewrites the inbound remote subnet (192.168.101.0/24) to 192.168.20.0/24.
This ensures both subnets appear unique during IPSec negotiation and routing.
Step 2: Define the ISAKMP (IKE Phase 1) Policy
Set up the Phase 1 policy with secure negotiation settings:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit crypto isakmp key key address x.x.x.x
This configures pre-shared key authentication and AES/SHA for secure exchange.
Step 3: Configure IPSec (IKE Phase 2)
Now create the transform set and specify how traffic should be encrypted:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel crypto ipsec security-association lifetime seconds 1800
Step 4: Define Interesting Traffic Using ACL
The access list must reflect the translated subnets (not the original ones) on both ends:
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
This tells the router to encrypt traffic between the NAT-mapped subnets.
Step 5: Create and Apply the Crypto Map
Build the crypto map that binds everything together:
crypto map vpn-map 10 ipsec-isakmp set transform-set tset-name set peer x.x.x.x match address 101
Apply it to the outside interface:
interface g3 crypto map vpn-map
Configuring Site-to-Site VPN on Cisco IOS Using ISAKMP Profiles and Key Rings
In larger or more dynamic VPN environments, using crypto key rings and ISAKMP profiles provides a more flexible and scalable alternative to traditional per-peer configurations. This approach allows for more granular control over authentication and peer matching, especially when supporting multiple VPN peers or dynamic IP scenarios.
Step 1: Define the ISAKMP (IKE Phase 1) Policy
The ISAKMP policy defines how Phase 1 negotiations are handled, including authentication, encryption, and hashing:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
This configures pre-shared key authentication with AES encryption and SHA hashing, using Diffie-Hellman group 5.
Step 2: Configure the IPSec Transform Set and SA Lifetime
The transform set defines how traffic will be encrypted once the VPN tunnel is established (Phase 2):
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel crypto ipsec security-association lifetime seconds 1800
Step 3: Create the Crypto Key Ring
A key ring allows you to associate a specific pre-shared key with a remote peer IP address:
crypto keyring vpn-ring pre-shared-key address x.x.x.x key key
You can add multiple entries to this key ring for different peers.
Step 4: Configure the ISAKMP Profile
The ISAKMP profile uses the key ring to authenticate the remote peer based on identity (IP address in this case):
crypto isakmp profile vpn-profile match identity address x.x.x.x key key keyring vpn-ring
This allows for policy-based identity matching and dynamic peer resolution.
Step 5: Define the IPSec Profile
Now tie the transform set and ISAKMP profile together in an IPSec profile:
crypto ipsec profile ipsec-vpn-profile set transform-set tset-name set isakmp-profile vpn-profile
This profile will later be applied to the tunnel interface.
Step 6: Create and Secure the Tunnel Interface
Now configure the tunnel interface itself. This logical interface routes encrypted traffic between the two VPN sites:
interface tunnel0 ip address x.x.x.x subnet-mask tunnel source x.x.x.x tunnel destination x.x.x.x tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-profile
The tunnel protection command binds the IPSec profile to the tunnel interface, activating the security configuration.
Configuring Site-to-Site VPN on Cisco IOS Using Key Ring and Self-Signed RSA Keys
In secure VPN deployments, using RSA signatures for peer authentication offers better identity assurance than pre-shared keys. When a Certificate Authority (CA) is unavailable, you can still use self-signed RSA keys and manually exchange public keys between routers using crypto keyrings. Here’s how to build a site-to-site IPSec VPN using this method.
Step 1: Generate Self-Signed RSA Keys
Begin by setting a domain name and generating RSA keys on both routers:
ip domain-name securitydemo.net crypto key generate rsa modulus 1024
Repeat this process on the second router. Each device now has a self-signed key pair.
Step 2: Export and Exchange Public Keys
On the first router, export the public key:
show crypto key mypubkey rsa
Copy the key output.
On the second router, create a keyring and paste in the first router’s key:
crypto keyring keyring-name rsa-pubkey address peer-IP key-string paste-first-router-key quit
Verify with:
show crypto key mypubkey rsa
Repeat the same process in reverse:
- On the second router, run show crypto key mypubkey rsa
- On the first router, configure:
crypto keyring keyring-name rsa-pubkey address peer-IP key-string paste-second-router-key quit
Confirm both routers now trust each other’s public RSA keys.
Step 3: Configure the ISAKMP Policy
Now configure the ISAKMP Phase 1 policy on both routers:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800
This specifies the use of RSA signature authentication with strong crypto parameters.
Step 4: Create the IPSec Transform Set
Next, define the IPSec Phase 2 encryption policy:
crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel
Step 5: Build ISAKMP and IPSec Profiles
Create the ISAKMP profile, matching the remote peer by identity:
crypto isakmp profile vpn-profile match identity address peer-IP keyring keyring-name
Then configure the IPSec profile and link it to the transform set and ISAKMP profile:
crypto ipsec profile ipsec-profile set transform-set tset set isakmp-profile vpn-profile
Step 6: Configure the Tunnel Interface
Finally, configure the tunnel interface and apply IPSec protection:
interface tunnel0 ip address local-IP mask tunnel source local-interface-or-IP tunnel destination remote-IP tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-profile
Configuring Site-to-Site VPN on Cisco IOS Using Hostname Authentication
When configuring IPSec VPNs in dynamic or scalable environments, hostname-based authentication can provide a flexible and secure alternative to IP-based peer matching. This approach is especially useful when peers have dynamic IPs or when managing multiple peers with different keys.
Step 1: Configure ISAKMP (IKE Phase 1) Policy
Start by defining the Phase 1 negotiation parameters:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
This configures secure Phase 1 settings using AES encryption and SHA hashing with Diffie-Hellman Group 5.
Step 2: Define the IPSec Transform Set and SA Lifetime
Set up Phase 2 encryption and define the tunnel mode:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel crypto ipsec security-association lifetime seconds 1800
Step 3: Create an Access List for Interesting Traffic
Define which traffic should be encrypted using the translated IP subnets:
access-list 101 permit ip after-translation-src-subnet mask after-translation-dest-subnet mask
This ensures only specified traffic is protected by the VPN tunnel.
Step 4: Build the Crypto Map
Tie together the transform set, peer, and ACL into a crypto map:
crypto map vpn-map 10 ipsec-isakmp set transform-set tset-name set peer x.x.x.x match address 101
Apply it to the interface:
interface g3 crypto map vpn-map
Step 5: Set Hostname-Based Authentication
To use hostname-based matching instead of IP, configure the domain name first:
ip domain-name yourdomain.com
Then set the local router’s identity method:
crypto isakmp identity hostname
Step 6: Create a Keyring with Hostname Matching
Define the keyring and associate pre-shared keys with remote hostnames:
crypto keyring my-keyring pre-shared-key address x.x.x.x key key
Step 7: Configure the ISAKMP Profile
Bind the hostname identity and keyring within an ISAKMP profile:
crypto isakmp profile vpn-profile match identity host hostname1 match identity host hostname2 keyring my-keyring
This allows the router to accept connections from multiple named peers, authenticated via the specified keyring.
Then associate this profile with the crypto map:
crypto map vpn-map isakmp-profile vpn-profile
Configuring Site-to-Site VPN on Cisco IOS Using IPv6 and Preshared Keys
As networks increasingly adopt IPv6, secure communication between remote sites via IPSec becomes just as important as it has been with IPv4.
Step 1: Configure ISAKMP (IKEv1) Policy for IPv6
Begin by defining the ISAKMP Phase 1 policy, which establishes the secure tunnel for negotiating IPSec parameters:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
This policy configures AES encryption, SHA hashing, Diffie-Hellman group 5, and a pre-shared key as the authentication method.
Step 2: Define the Pre-Shared Key for the IPv6 Peer
Set the PSK for your IPv6 peer using the following command:
crypto isakmp key key address ipv6 peer-ipv6-address
This allows the router to identify and authenticate the remote peer via its IPv6 address.
Step 3: Configure the IPSec Transform Set and Profile
Next, define the IPSec transform set, which determines the encryption and hashing algorithms used during Phase 2:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel
Bind the transform set to an IPSec profile:
crypto ipsec profile ipsec-profile set transform-set tset-name exit
Step 4: Set Up the Tunnel Interface for IPv6
Now configure a tunnel interface that will carry the IPSec-encrypted traffic over IPv6:
interface tunnel0 ipv6 address local-tunnel-ipv6-address/prefix-length tunnel source local-ipv6-address tunnel destination remote-ipv6-address tunnel mode ipsec ipv6 tunnel protection ipsec profile ipsec-profile
The key command here is tunnel mode ipsec ipv6, which enables the use of IPSec directly over IPv6 without requiring GRE encapsulation.
Configuring Site-to-Site VPN on Cisco IOS Using IPv6 and IOS CA Certificates
As organizations transition to IPv6, securing site-to-site communication with certificate-based authentication offers a scalable and secure alternative to pre-shared keys.
Step 1: Prepare the CA (Certificate Authority)
On the router you’ll use as the IOS CA, first ensure the system clock is set correctly. Certificate timestamps must be valid or enrollment will fail.
clock set HH:MM:SS MONTH DAY YEAR
Alternatively, configure NTP for automatic synchronization.
Step 2: Generate and Export RSA Keys on the CA
On the CA router, generate exportable RSA keys:
crypto key generate rsa general-keys exportable label ios-ca modulus 1024
Export the keys if you plan to back them up:
crypto key export rsa ios-ca pem url nvram: 3des password
Then enable HTTP services required for certificate enrollment:
ip http server
Step 3: Configure the IOS CA Server
Set up the CA functionality on the same router:
crypto pki server IOS-CA database level minimum database url nvram: issuer-name cn=IOS-CA grant auto no shut
Verify the server is running:
show crypto pki server
Step 4: Enroll the Remote VPN Router with the CA
On the first router (the VPN participant), define a trustpoint and begin enrollment:
crypto pki trustpoint IOS-CA enrollment url http://101:1:1::1
Authenticate and enroll:
crypto pki authenticate IOS-CA yes crypto pki enroll IOS-CA
After enrollment, confirm certificate installation:
show crypto pki certificates
Step 5: Configure the VPN with Certificate Authentication
Now use the enrolled certificate for IKE Phase 1 using RSA signature authentication:
crypto isakmp policy 1 authentication rsa-sig encryption aes hash sha group 5 lifetime 1800
Define the transform set for IPSec Phase 2:
crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel
Create the IPSec profile and bind the transform set:
crypto ipsec profile profile-name set transform-set tset
Step 6: Secure the Tunnel Interface
Apply the IPSec profile to the tunnel interface:
interface tunnel0 tunnel protection ipsec profile profile-name
If you are using IPv6, make sure the tunnel is properly configured with tunnel mode ipsec ipv6 and the appropriate ipv6 address, tunnel source, and tunnel destination.
Configuring Site-to-Site Stateless Failover VPN on Cisco IOS Using IPSec PSK and HSRP
In environments where high availability is critical, combining HSRP with stateless IPsec VPN failover ensures secure and uninterrupted connectivity between sites. This configuration example uses HSRP for gateway redundancy on the local site and IPsec VPN with pre-shared keys to establish secure tunnels with automatic failover to a backup router. Here’s how you can set it up.
1. HSRP Configuration (Local Site – R1 & R2)
We start by setting up Hot Standby Router Protocol (HSRP) on R1 and R2 to provide gateway redundancy. The shared virtual IP address 192.168.101.1 will float between R1 and R2 depending on which is active.
On R1:
interface g2 standby 1 ip 192.168.101.1 standby 1 priority 101 standby 1 preempt standby 1 track g3
R1 is set as the primary active router due to its higher priority and tracking of interface g3 to influence failover.
On R2:
interface g2 standby 1 ip 192.168.101.1 standby 1 preempt
R2 serves as the standby and will take over if R1 fails.
2. ISAKMP and IPsec Configuration (R1 & R2)
Both R1 and R2 will be configured with the same ISAKMP and IPsec policies to establish a tunnel with R3.
ISAKMP Policy:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Pre-shared Key:
crypto isakmp key cisco123 address 103.1.1.100
Transform Set and ACL:
crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
Crypto Map:
crypto map cmap 10 ipsec-isakmp set transform-set tset set peer 103.1.1.100 match address 101 interface g3 crypto map cmap
3. ISAKMP and IPsec Configuration (Remote Site – R3)
Router R3 is configured to recognize both R1 and R2 as valid IPsec peers. It will dynamically switch to the available peer based on tunnel availability.
ISAKMP Policy:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Pre-shared Keys for Both Peers:
crypto isakmp key cisco123 address 101.1.1.100 crypto isakmp key cisco123 address 102.1.1.100
Enable Dead Peer Detection (DPD):
crypto isakmp keepalive 10 10
Transform Set and ACL:
crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel access-list 101 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255
Crypto Map with Dual Peers:
crypto map cmap 10 ipsec-isakmp set transform-set tset set peer 101.1.1.100 default set peer 102.1.1.100 match address 101 interface g2 crypto map cmap
In this setup, R3 tries the default peer (101.1.1.100, i.e., R1) first. If R1 is unreachable, it automatically fails over to R2 (102.1.1.100) without requiring tunnel re-establishment from the branch office side—hence achieving stateless failover.
Configuring Site-to-Site over VPN through an ASA Firewall on Cisco IOS
When deploying a site-to-site VPN across firewalls, it’s essential to ensure the necessary protocols and ports are allowed through the firewall in both directions.
1. Configure the Firewall Rules
Before any IPsec negotiation can occur, you must explicitly allow the necessary VPN-related traffic through the firewall. This involves permitting both IKE and ESP protocols:
access-list out permit udp host x.x.x.x host x.x.x.x eq 500 access-list out permit esp host x.x.x.x host x.x.x.x access-group out in interface outside
- UDP 500: Required for ISAKMP/IKE Phase 1 negotiation
- ESP: Required for IPsec Phase 2 data transfer
- The access-group binds the ACL to the external interface
Replace x.x.x.x with the IP addresses of your VPN peers.
2. Configure ISAKMP Policy on Both Routers
Once the firewall allows the necessary traffic, move on to configuring the ISAKMP policy on both routers to define how they negotiate the tunnel:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
This policy sets the authentication to pre-shared key, uses AES for encryption, SHA for integrity, and a Diffie-Hellman group of 5. The key lifetime is set to 30 minutes (1800 seconds).
3. Set the Pre-Shared Key
Each router must know the key to authenticate with the peer:
crypto isakmp key key address x.x.x.x
Replace key with your shared secret and x.x.x.x with the peer router’s public IP.
4. Define the Transform Set
The transform set defines how traffic will be encrypted and authenticated during Phase 2:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel
esp-aes and esp-sha-hmac provide strong encryption and integrity.
5. Set Security Association Lifetime
This optional command sets the lifetime for the IPsec SA, aligning with ISAKMP:
crypto ipsec security-association lifetime seconds 1800
6. Create a Traffic Selector with ACL
Specify the interesting traffic using an extended access list:
access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255
This ACL tells the router which traffic should be protected by the VPN tunnel – in this case, traffic from subnet 192.168.101.0/24 to 192.168.102.0/24.
7. Apply the Crypto Map
Tie all your configurations together in a crypto map:
crypto map name num ipsec-isakmp set transform-set tset-name set peer x.x.x.x match address 101
Make sure to replace name and num with a name and sequence number, and use the same ACL from above.
Finally, apply the crypto map to the outgoing interface (the one facing the peer):
interface g3 crypto map name
Configuring Site-to-Site over VPN with NAT-T (NAT Traversal) on Cisco IOS
In real-world deployments, VPN tunnels often need to traverse devices performing NAT (Network Address Translation), such as firewalls. In these scenarios, NAT Traversal (NAT-T) is essential for establishing a successful IPsec tunnel.
Network Topology Overview
- R1 (Left Site): Internal IP 192.168.101.1, Public IP 101.1.1.100
- R2 (Right Site): Internal IP 192.168.102.1, Public IP 102.1.1.100
- ASA (Firewall/NAT Device): Outside IP 102.1.1.1, NATs R1 to 102.1.1.111
1. Configure ASA for NAT (Static NAT for VPN Peer)
To allow proper NAT-T operation, configure a static NAT mapping between R1’s real IP and its public-facing identity:
object network r1 host 101.1.1.100 object network pub-ip host 102.1.1.111 exit nat (inside,outside) source static r1 pub-ip
This command binds R1’s real address to the NAT’d public IP 102.1.1.111.
2. Allow VPN Traffic on the ASA
Create an ACL on the ASA to permit VPN-related protocols (ISAKMP, NAT-T, ESP):
access-list out permit icmp host 102.1.1.100 host 101.1.1.100 access-list out permit udp host x.x.x.x host x.x.x.x eq 500 access-list out permit udp host x.x.x.x host x.x.x.x eq 4500 access-group out in interface outside
- UDP 500 → ISAKMP/IKEv1
- UDP 4500 → NAT-T encapsulation
Replace x.x.x.x with the appropriate public IPs.
3. Configure IPsec VPN on R1
On R1, which sits behind the NAT device, configure ISAKMP and IPsec settings as follows:
crypto isakmp policy 1 authentication pre-share hash sha group 5 lifetime 1800 exit - crypto isakmp key key address 102.1.1.100 - crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel - crypto ipsec security-association lifetime seconds 1800 - access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255 - crypto map cmap-name 10 ipsec-isakmp set transform-set tset set peer 102.1.1.100 match address 101 - interface g3 crypto map cmap-name
This configuration defines the VPN parameters and attaches the crypto map to the outbound interface.
4. Configure IPsec VPN on R2 (the remote peer)
On the other end (R2), configure IPsec settings, but be sure to target R1’s NAT’d IP address (102.1.1.111) as the peer:
crypto isakmp policy 1 authentication pre-share hash sha group 5 lifetime 1800 exit - crypto isakmp key key address 102.1.1.111 - crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel - crypto ipsec security-association lifetime seconds 1800 - access-list 101 permit ip 192.168.102.0 0.0.0.255 192.168.101.0 0.0.0.255 - crypto map cmap-name 10 ipsec-isakmp set transform-set tset set peer 102.1.1.111 match address 101 - interface g3 crypto map cmap-name
Configuring Site-to-Site over VPN between an ASA and IOS Router Using IKEv1 with Pre-Shared Key
When connecting a Cisco ASA firewall to a Cisco IOS router over a site-to-site VPN, it’s crucial to configure both ends with consistent IKEv1 Phase 1 and IPsec Phase 2 parameters.
ASA Configuration: IKEv1 Policy and VPN Setup
Start by defining your IKEv1 policy on the ASA:
crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800
Next, define the tunnel group and the corresponding pre-shared key:
tunnel-group x.x.x.x type ipsec-l2l - tunnel-group x.x.x.x ipsec-attributes ikev1 pre-shared-key key exit
Replace x.x.x.x with the peer router’s public IP address and key with your actual shared secret.
Then, define the transform set and IPsec SA lifetime:
crypto ipsec ikev1 transform-set name esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 1800
Create an ACL that defines “interesting traffic” for the VPN tunnel:
access-list 101 permit ip src-subnet mask dest-subnet mask
Now apply all components into a crypto map:
crypto map name num set ikev1 transform-set tset-name crypto map name num set peer x.x.x.x crypto map name num match address 101 crypto map name interface outside crypto ikev1 enable outside
This configuration enables IKEv1 on the ASA’s outside interface and prepares it to form a tunnel with the remote router.
Router Configuration (Cisco IOS Side)
The router configuration mirrors the ASA setup and begins with an ISAKMP policy:
crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit
Define the same pre-shared key:
crypto isakmp key key address x.x.x.x
Set the transform set and mode for IPsec:
crypto ipsec transform-set tset-name esp-aes esp-sha-hmac mode tunnel
Set the security association lifetime:
crypto ipsec security-association lifetime seconds 1800
Define your interesting traffic using an access list:
access-list 101 permit ip src-subnet mask dest-subnet mask
Now create and bind the crypto map:
crypto map name num ipsec-isakmp set transform-set tset-name set peer x.x.x.x match address 101 exit - interface g3 crypto map name
Make sure the IPs and keys match exactly on both ends for successful tunnel negotiation.
Configuring Site-to-Site over VPN between an ASA and IOS Router Using IKEv2 with Pre-Shared Key
Establishing a secure IPsec tunnel between a Cisco ASA and an IOS router using IKEv2 with pre-shared keys (PSK) is a common scenario for site-to-site VPN deployments. Unlike IKEv1, IKEv2 provides improved resiliency, fewer message exchanges, and built-in NAT traversal.
ASA Configuration for IKEv2 and IPsec
Begin by configuring the IKEv2 policy on the ASA:
crypto ikev2 policy 1 encryption aes aes-192 aes-256 integrity sha group 5 lifetime seconds 1800 exit
This policy specifies support for multiple AES key sizes, SHA for integrity, and a Diffie-Hellman group of 5.
Next, define the tunnel group for the remote peer and associate the pre-shared key:
tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x ipsec-attributes ikev2 local-authentication pre-shared-key key ikev2 remote-authentication pre-shared-key key exit
Replace x.x.x.x with the peer router’s public IP and key with your actual PSK.
Now configure the IPsec proposal to define how traffic will be encrypted and authenticated:
crypto ipsec ikev2 ipsec-proposal pname protocol esp encryption aes protocol esp integrity sha-1 exit - crypto ipsec security-association lifetime seconds 1800
Then specify interesting traffic via an access list:
access-list 101 permit ip src-subnet mask dest-subnet mask
Apply the configuration into a crypto map:
crypto map name num set ikev2 ipsec-proposal pname crypto map name num set peer x.x.x.x crypto map name num match address 101 crypto map name interface outside crypto ikev2 enable outside
This binds the policy and transforms to the outside interface and enables IKEv2 negotiation.
Router Configuration for IKEv2 Site-to-Site Tunnel
On the IOS router, begin by creating an IKEv2 policy:
crypto ikev2 policy 1 exit
Then define the proposal specifying supported ciphers and integrity algorithms:
crypto ikev2 proposal pname encryption aes-cbc-128 aes-cbc-192 aes-cbc-256 integrity sha1 group 5 exit
Now configure the IKEv2 keyring, which stores peer-specific keys:
crypto ikev2 keyring name peer name address x.x.x.x pre-shared-key key exit
Next, bind the keyring to an IKEv2 profile:
crypto ikev2 profile pname match identity remote address x.x.x.x authentication local pre-share authentication remote pre-share keyring local keyring-name
Set the IPsec transform set:
crypto ipsec transform-set tset esp-aes esp-sha-hmac mode tunnel
Define the SA lifetime and interesting traffic ACL:
crypto ipsec security-association lifetime seconds 1800 - access-list 101 permit ip src-subnet mask dest-subnet mask
Now assemble and apply the crypto map:
crypto map name num ipsec-isakmp set transform-set tset set peer x.x.x.x match address 101 set ikev2-profile profile-name exit - crypto ikev2 policy 1 proposal pname1 exit - interface g3 crypto map name
Ensure that the crypto map is applied to the correct outbound interface, and the router will now establish IKEv2 VPN tunnels based on the configured parameters.
Configuring VPN between an ASA and IOS Router Using IKEv1 with Certificates and Dynamic IP Support
When working with dynamic IP addressing or environments where you want to avoid using static pre-shared keys, certificate-based IKEv1 VPNs are a secure and scalable alternative.
Step 1: ASA Trustpoint and CA Enrollment
Begin on the ASA by configuring a trustpoint for certificate enrollment:
domain-name cisco.com - crypto ca trustpoint IOS-CA enrollment url http://10.1.101.1 fqdn asa1.cisco.com subject-name cn=asa1.cisco.com
Authenticate and enroll with the CA:
crypto ca authenticate IOS-CA crypto ca enroll IOS-CA
To ensure secure and synchronized certificates, configure NTP with authentication:
ntp authenticate ntp authentication-key 1 md5 Cisco_NTP ntp trusted-key 1 ntp server 10.1.101.1 key 1
Step 2: ASA IKEv1 Crypto Policies
Configure IKEv1 with RSA signature authentication:
crypto ikev1 enable outside - crypto ikev1 policy 10 auth rsa-sig encryption 3des hash md5 group 2 - crypto ikev1 policy 20 auth rsa-sig encryption des hash sha group 2
Step 3: ASA Tunnel Groups for Dynamic Peers
Define tunnel groups with relaxed peer identity validation for dynamic IP peers:
tunnel-group US_VPN type ipsec-l2l tunnel-group US_VPN ipsec-attributes peer-id-validate nocheck ikev1 trust-point IOS-CA - tunnel-group CA_VPN type ipsec-l2l tunnel-group CA_VPN ipsec-attributes peer-id-validate nocheck ikev1 trust-point IOS-CA
Step 4: Define Transform Sets & ACLs
Create transform sets for different peers:
crypto ipsec ikev1 transform-set tset_us esp-3des esp-md5 crypto ipsec ikev1 transform-set tset_ca esp-des esp-sha
Define interesting traffic:
access-list acl_us permit ip 1.1.1.0 255.255.255.0 5.5.5.0 255.255.255.0 access-list acl_ca permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0
Step 5: Configure Dynamic Crypto Maps
crypto dynamic-map US_VPN 10 match address acl_us crypto dynamic-map US_VPN 10 set ikev1 transform-set tset_us crypto dynamic-map US_VPN 10 set pfs group2 - crypto dynamic-map CA_VPN 20 match address acl_ca crypto dynamic-map CA_VPN 20 set ikev1 transform-set tset_ca crypto dynamic-map CA_VPN 20 set pfs group2
Apply to static crypto map and bind to interface:
crypto map CMAP 10 ipsec-isakmp dynamic US_VPN crypto map CMAP 20 ipsec-isakmp dynamic CA_VPN crypto map CMAP interface outside
Step 6: Tunnel Group Mapping and Certificate Matching
Configure certificate maps and tunnel-group mapping rules:
tunnel-group-map enable rules - crypto ca certificate map CERT_MAP 10 subject-name attribute C eq US - crypto ca certificate map CERT_MAP 20 subject-name attribute C eq CA - tunnel-group-map CERT_MAP 10 US_VPN tunnel-group-map CERT_MAP 20 CA_VPN
Router 1 (US) Configuration
Certificate and Trustpoint Setup:
ip domain-name cisco.com crypto key generate rsa modulus 1024 - crypto pki trustpoint IOS-CA subject-name CN=R5, C=US fqdn R5.cisco.com enrollment url http://10.1.101.1 - ntp authenticate ntp authentication-key 1 md5 Cisco_NTP ntp trusted-key 1 ntp server 10.1.101.1 key 1 - crypto pki authenticate IOS-CA crypto pki enroll IOS-CA
Crypto Policy:
crypto isakmp policy 10 encryption 3des authentication rsa-sig hash md5 group 2 - crypto ipsec transform-set tset esp-3des esp-md5 - access-list 100 permit ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255 - crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.10 set transform-set tset set pfs group2 match address 100 - interface g1 crypto map CMAP
Router 2 (CA) Configuration
Certificate and Trustpoint Setup:
ip domain-name cisco.com crypto key generate rsa modulus 1024 - crypto pki trustpoint IOS-CA subject-name CN=R4, C=CA fqdn R4.cisco.com enrollment url http://10.1.101.1 - ntp authenticate ntp authentication-key 1 md5 Cisco_NTP ntp trusted-key 1 ntp server 10.1.101.1 key 1 - crypto pki authenticate IOS-CA crypto pki enroll IOS-CA
Crypto Policy:
crypto isakmp policy 10 encryption des hash sha authentication rsa-sig group 2 - crypto ipsec transform-set tset esp-des esp-sha-hmac - access-list 100 permit ip 4.4.4.0 255.255.255.0 1.1.1.0 255.255.255.0 - crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.10 set transform-set tset set pfs group2 match address 100 - interface g1 crypto map CMAP
This setup demonstrates a full site-to-site IKEv1 VPN solution using certificate-based authentication and dynamic crypto maps to support VPN clients or spokes with changing IP addresses. This model enhances security and flexibility for large, scalable VPN deployments by utilizing a centralized Certificate Authority (CA) and trusted identity validation.
Configuring VPN on an ASA and IOS Routers Using IKEv1 and Hairpinning Traffic
When connecting multiple spokes through a central ASA firewall using IKEv1 VPNs and pre-shared keys, hairpinning becomes essential. Hairpinning (also known as “U-turn traffic”) allows traffic from one VPN tunnel to route to another VPN tunnel through the same ASA interface.
ASA Configuration (Hub Device)
Enable IKEv1 and Define Policies – Start by enabling IKEv1 on the ASA’s outside interface and creating two policy profiles:
crypto ikev1 enable outside - crypto ikev1 policy 10 authentication pre-share encryption 3des hash md5 group 2 - crypto ikev1 policy 20 authentication pre-share encryption des hash sha group 2
Define Transform Sets for Different Spokes
crypto ipsec ikev1 transform-set tset_us esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set tset_ca esp-des esp-sha-hmac
Define Tunnel Groups with Pre-shared Keys
tunnel-group 10.1.105.5 type ipsec-l2l tunnel-group 10.1.105.5 ipsec-attributes pre-shared-key R5-ASA - tunnel-group 10.1.104.4 type ipsec-l2l tunnel-group 10.1.104.4 ipsec-attributes pre-shared-key R4-ASA
Configure Access Lists – These define what traffic should be encrypted between sites:
access-list R5 permit ip 1.1.1.0 255.255.255.0 5.5.5.0 255.255.255.0 access-list R5 permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0 - access-list R4 permit ip 1.1.1.0 255.255.255.0 4.4.4.0 255.255.255.0 access-list R4 permit ip 5.5.5.0 255.255.255.0 4.4.4.0 255.255.255.0
Apply Crypto Maps – Each peer has a separate entry under the same crypto map:
crypto map CMAP 10 match address R5 crypto map CMAP 10 set peer 10.1.105.5 crypto map CMAP 10 set ikev1 transform-set tset_us - crypto map CMAP 20 match address R4 crypto map CMAP 20 set peer 10.1.104.4 crypto map CMAP 20 set ikev1 transform-set tset_ca - crypto map CMAP interface outside
Enable Hairpinning – Hairpinning is required to allow VPN-to-VPN traffic routing through the ASA:
same-security-traffic permit intra
Spoke 1 Router Configuration (Connected to ASA as Peer)
ISAKMP and Transform Configuration:
crypto isakmp policy 10 encryption 3des hash md5 authentication pre-share group 2 - crypto isakmp key R5-ASA address 192.168.1.10 - crypto ipsec transform-set tset esp-3des esp-md5
Define Interesting Traffic:
access-list 100 permit ip 5.5.5.0 0.0.0.255 1.1.1.0 0.0.0.255 access-list 100 permit ip 5.5.5.0 0.0.0.255 4.4.4.0 0.0.0.255
Bind Crypto Map:
crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.10 set transform-set tset match address 100 - interface g1 crypto map CMAP
Spoke 2 Router Configuration
ISAKMP Policy and Key:
crypto isakmp policy 10 authentication pre-share group 2 - crypto isakmp key R4-ASA address 192.168.1.10
Define Transform Set and ACL:
crypto ipsec transform-set tset esp-des esp-sha-hmac - access-list 100 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255 access-list 100 permit ip 4.4.4.0 0.0.0.255 5.5.5.0 0.0.0.255
Bind to Crypto Map and Interface:
crypto map CMAP 10 ipsec-isakmp set peer 192.168.1.10 match address 100 set transform-set tset - interface g1 crypto map CMAP
Configuring GRE over IPSec on IOS Routers
Using GRE over IPsec combines the flexibility of GRE tunneling (which supports multicast, dynamic routing, and non-IP traffic) with the security of IPsec encryption.
Router 1 Configuration
1. Configure the GRE Tunnel Interface
interface tunnel0 tunnel source g1 tunnel destination 10.1.105.5 ip address 192.168.34.4 255.255.255.0
This establishes a GRE tunnel using Router 1’s physical interface and sets the tunnel’s IP.
2. Configure IKE Phase 1 (ISAKMP)
crypto isakmp policy 10 authentication pre-share encryption des hash sha group 1 - crypto isakmp key cisco123 address 10.1.105.5
3. Define Phase 2 IPsec Transform Set
crypto ipsec transform-set tset esp-des esp-sha-hmac
4. Create Access List to Match GRE Traffic
access-list 100 permit gre host 10.1.104.4 host 10.1.105.5
GRE traffic between Router 1 and 2 is marked as “interesting” and will be protected by IPsec.
5. Configure and Apply the Crypto Map
crypto map CMAP 10 ipsec-isakmp set peer 10.1.105.5 match address 100 set transform-set tset - interface g1 crypto map CMAP
The crypto map binds IPsec to the outside interface.
6. Configure Routing with EIGRP
router eigrp 100 no auto-summary network 4.4.4.0 0.0.0.255 network 192.168.34.0 0.0.0.255
EIGRP is used to dynamically advertise internal networks over the GRE tunnel.
Router 2 Configuration
1. Configure the GRE Tunnel Interface
interface tunnel0 tunnel source g1 tunnel destination 10.1.104.4 ip address 192.168.34.5 255.255.255.0
2. Configure IKE Phase 1 (ISAKMP)
crypto isakmp policy 10 authentication pre-share encryption des hash sha group 1 - crypto isakmp key cisco123 address 10.1.104.4
3. Define IPsec Transform Set and ACL
crypto ipsec transform-set tset esp-des esp-sha-hmac - access-list 100 permit gre host 10.1.105.5 host 10.1.104.4
4. Configure the Crypto Map
crypto map CMAP 10 ipsec-isakmp set peer 10.1.104.4 match address 100 set transform-set tset - interface g1 crypto map CMAP
5. Configure Routing with EIGRP
router eigrp 100 no auto-summary network 5.5.5.0 0.0.0.255 network 192.168.34.0 0.0.0.255
