Configuring site to site VPNs
1. setup ISAKMP Policy (for IKE phase 1)
2. setup IPSec transform set (for IKE phase2)
3. Define interesting traffic (ip access-list)
4. set up crypto map
5. assign crypto map to interface
Troubleshoot;
sh crypto isakmp sa
sh crypto ipsec sa
====== R1 =======
crypto isakmp policy 50
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 10.100.34.4 no-xauth
!
!
crypto ipsec transform-set DEMO ah-md5-hmac esp-aes esp-sha-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 10.100.34.4
set transform-set DEMO
match address INT_TRAFFIC
!
interface FastEthernet0/0
ip address 10.100.12.1 255.255.255.0
duplex auto
speed auto
crypto map VPN_MAP
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
passive-interface default
network 0.0.0.0 255.255.255.255 area 0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
ip access-list extended INT_TRAFFIC
permit ip 1.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255
====== R4 =======
!
crypto isakmp policy 50
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 10.100.12.1 no-xauth
!
!
crypto ipsec transform-set DEMO ah-md5-hmac esp-aes esp-sha-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 10.100.12.1
set transform-set DEMO
match address INT_TRAFFIC
!
interface FastEthernet0/0
ip address 10.100.34.4 255.255.255.0
duplex auto
speed auto
crypto map VPN_MAP
!
interface FastEthernet0/1
ip address 1.1.4.4 255.255.255.0
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
passive-interface default
network 0.0.0.0 255.255.255.255 area 0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
ip access-list extended INT_TRAFFIC
permit ip 1.0.0.0 0.255.255.255 1.0.0.0 0.255.255.255