VPN

I always forget to put one line in. I try and break it down to six steps.

Configure ISAKMP policy (ike phase 1)

Configure IPsec transform sets (ike phase 2, tunnel termination)

Configure crypto ACL (define interesting traffic, secure data transfer)

Configure crypto map (ike phase 2)

Add the crypt map to the interface (ike phase 2)

Configure interface ACL.
My basic template is below.

If the local subnet 192.168.20.0/24, remote subnet 192.168.21.0/24. Remote public IP 22.22.22.22

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800

access-list REMOTE_SITE ex permit ip 192.168.20.0 255.255.255.0 192.168.21.0 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 22.22.22.22
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside

nat (inside) 0 access-list REMOTE_SITE

tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key ***

Advertisements

~ by bigevil on September 21, 2009.

 
%d bloggers like this: