General Notes


 

  1. An IPsec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPsec peers

  2. In IKE Phase 1, the IPsec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using Internet Security Association and Key Management Protocol (ISAKMP).

  3. In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The negotiation of the shared policy determines how the IPsec tunnel is established. The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec
    parameters configured in the IPsec transform sets.

  4. The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.

 

Cisco site to site VPN Simple configuration example


 

The bellow section will guide you step by step trough configuring and administering a simple Cisco VPN IPSEC installation including common configurations like :

  1. This kind of tunnel is better configured using the CLI of the appliance
  2. Create the VPN tunnel with all the info needed bellow
  3. Make sure you have access to both devices in question
  4. If the two devices are dissmilar in manifacturer then you will need to understand the general principles for creating the site to site or lan to lan tunnel as the configuration will be different for each device type
  • peer ip address
  • pre shared key
  • encryption parameters and encrypt maps phase 1 and phase 2

Near End Configuration Example


 

crypto ipsec transform-set TESTAES esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 15360
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set peer 3.3.3.3
crypto map outside_map 1 set transform-set TESTAES
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key testkey

intresting traffic definition

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip host 1.1.1.1 2.2.2.2 255.255.255.255

 

Far end


 


everything must be mirrored on the opposite site except the peer ip address

 

Recommended Reading


 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !

 

 

 

If you require assistance in configuring maintaining or migrating your current Cisco VPN IPSEC installation please contact us here