Site to Site VPN
(2013 March 08)
Example VPN Configuration
! Enable ISAKMP
crypto isakmp enable outside
!
! Object definitions
object network net-local
subnet 192.168.101.0 255.255.255.0
!
object network net-remote
subnet 192.168.102.0 255.255.255.0
!
! This access list permits the traffic to flow through the tunnel
access-list outside_1_cryptomap permit ip object net-local object net-remote
!
! The tunnel-group name must be the IP of the remote gateway
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key MySharedSecret
! optional keep-alives
isakmp keepalive threshold 10 retry 2
!
! This is our policy for phase 1.
! Policy number just groups isakmp options, can be any number
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
!
! transform map for phase 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
! Join the map to the ACL
crypto map outside_map 1 match address outside_1_cryptomap
! Perfect-Forward-Secrecy
crypto map outside_map 1 set pfs group1
! The IP address of the remote gateway
crypto map outside_map 1 set peer 192.168.0.12
! The phase-2 transform set
crypto map outside_map 1 set transform-set ESP-3DES-SHA
! Apply to the outside interface as the outgoing-interface
crypto map outside_map interface outside
!
! NAT -- no-nat in this example
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
!
! Routing -- if you don't have a default route it won't work
route outside 0 0 192.168.0.1