I always forget to put one line in. I try and break it down to six steps.

Configure ISAKMP policy (ike phase 1)

Configure IPsec transform sets (ike phase 2, tunnel termination)

Configure crypto ACL (define interesting traffic, secure data transfer)

Configure crypto map (ike phase 2)

Add the crypt map to the interface (ike phase 2)

Configure interface ACL.
My basic template is below.

If the local subnet, remote subnet Remote public IP

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800

access-list REMOTE_SITE ex permit ip

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside

nat (inside) 0 access-list REMOTE_SITE

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key ***


~ by bigevil on September 21, 2009.

%d bloggers like this: