IPSec Site-to-Site VPN in 10 seconds

This is a very basic configuration example for a site-to-site IPSec VPN. You should understand what the parameters mean, before you set it up for production.

access-list 150 permit ip [localnet] [remotenet]
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key [psk] address [peer]
crypto isakmp keepalive 10
crypto isakmp nat keepalive 3600
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set SET_1 esp-3des esp-md5-hmac
crypto map VPN 150 ipsec-isakmp
set peer [peer]
set transform-set SET_1
set pfs group2
match address 150
interface [outgoing-interface]
crypto map VPN

Replace the strings in brackets:

[localnet]: your local subnet (e.g.
[remotenet]: the remote subnet (e.g.
[peer]: the remote VPN peer (the public address)
[psk]: the pre shared key
[outgoing-interface]: the outgoing interface (where usually the default route points to)


  • make sure Phase 1 and Phase 2 parameters matches the configuration on the remote peer
  • use ‘show crypto isakmp sa’ and ‘debug crypto isakmp’ for Phase 1 debugging
  • use ‘show crypto ipsec sa’ and ‘debug crypto ipsec’ for Phase 2 debugging
  • PFS has shown bitchy behavior in real world with third party peers; if in doubt, disable it on both boxes
  • make sure you exclude the remote net from any NAT configuration
  • obvious, but crucially important: if you ping the remote net from the router, you need to specify the correct source interface
  • If possible (as a general rule), use one of the decent trains like 12.4(15)T

Leave a Reply