IPSec Site-to-Site VPN in 10 seconds

This is a very basic configuration example for a site-to-site IPSec VPN. You should understand what the parameters mean, before you set it up for production.

access-list 150 permit ip [localnet] [remotenet]
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key [psk] address [peer]
!
crypto isakmp keepalive 10
crypto isakmp nat keepalive 3600
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set SET_1 esp-3des esp-md5-hmac
!
crypto map VPN 150 ipsec-isakmp
set peer [peer]
set transform-set SET_1
set pfs group2
match address 150
!
!
interface [outgoing-interface]
crypto map VPN

Replace the strings in brackets:

[localnet]: your local subnet (e.g. 192.168.0.0 0.0.0.255)
[remotenet]: the remote subnet (e.g. 192.168.1.0 0.0.0.255)
[peer]: the remote VPN peer (the public address)
[psk]: the pre shared key
[outgoing-interface]: the outgoing interface (where usually the default route points to)

Troubleshooting:

  • make sure Phase 1 and Phase 2 parameters matches the configuration on the remote peer
  • use ‘show crypto isakmp sa’ and ‘debug crypto isakmp’ for Phase 1 debugging
  • use ‘show crypto ipsec sa’ and ‘debug crypto ipsec’ for Phase 2 debugging
  • PFS has shown bitchy behavior in real world with third party peers; if in doubt, disable it on both boxes
  • make sure you exclude the remote net from any NAT configuration
  • obvious, but crucially important: if you ping the remote net from the router, you need to specify the correct source interface
  • If possible (as a general rule), use one of the decent trains like 12.4(15)T

Leave a Reply