! Enable ISAKMP crypto isakmp enable outside ! ! Object definitions object network net-local subnet 192.168.101.0 255.255.255.0 ! object network net-remote subnet 192.168.102.0 255.255.255.0 ! ! This access list permits the traffic to flow through the tunnel access-list outside_1_cryptomap permit ip object net-local object net-remote ! ! The tunnel-group name must be the IP of the remote gateway tunnel-group 192.168.0.12 type ipsec-l2l tunnel-group 192.168.0.12 ipsec-attributes pre-shared-key MySharedSecret ! optional keep-alives isakmp keepalive threshold 10 retry 2 ! ! This is our policy for phase 1. ! Policy number just groups isakmp options, can be any number crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 encrypt 3des crypto isakmp policy 10 hash sha crypto isakmp policy 10 group 2 crypto isakmp policy 10 lifetime 86400 ! ! transform map for phase 2 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! ! Join the map to the ACL crypto map outside_map 1 match address outside_1_cryptomap ! Perfect-Forward-Secrecy crypto map outside_map 1 set pfs group1 ! The IP address of the remote gateway crypto map outside_map 1 set peer 192.168.0.12 ! The phase-2 transform set crypto map outside_map 1 set transform-set ESP-3DES-SHA ! Apply to the outside interface as the outgoing-interface crypto map outside_map interface outside ! ! NAT -- no-nat in this example nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote ! ! Routing -- if you don't have a default route it won't work route outside 0 0 192.168.0.1