For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > 8.3 > Site to Site VPN

Site to Site VPN

Created by dave. Last edited by dave, 10 years and 304 days ago. Viewed 2,585 times. #2
[diff] [history] [edit] [rdf]
(2013 March 08)

Example VPN Configuration

! Enable ISAKMP
crypto isakmp enable outside
! Object definitions
object network net-local
object network net-remote
! This access list permits the traffic to flow through the tunnel
access-list outside_1_cryptomap permit ip object net-local object net-remote
! The tunnel-group name must be the IP of the remote gateway
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
  pre-shared-key MySharedSecret
  ! optional keep-alives
  isakmp keepalive threshold 10 retry 2
! This is our policy for phase 1.
! Policy number just groups isakmp options, can be any number
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
! transform map for phase 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! Join the map to the ACL
crypto map outside_map 1 match address outside_1_cryptomap
! Perfect-Forward-Secrecy
crypto map outside_map 1 set pfs group1
! The IP address of the remote gateway
crypto map outside_map 1 set peer
! The phase-2 transform set
crypto map outside_map 1 set transform-set ESP-3DES-SHA
! Apply to the outside interface as the outgoing-interface
crypto map outside_map interface outside
! NAT -- no-nat in this example
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
! Routing -- if you don't have a default route it won't work
route outside 0 0
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt