Cisco VPN – Commands (site-to-site )

I very rarely setup site to site VPN’s  and was think that maybe this could be some additional information to add to blog setting outside the normal blog posts, so enjoy.

Some of you might find this information a little dated, but I am going to do this in reference to the commands I have used and IOS version that is on ASA’s I work with.  In the future may be updating this page as the environment I work with changes.

The steps for configuring a site-to-site IPSEC tunnel (l2l) follows:

enable ISAKMP

create ISAKMP policy

set tunnel type

create preshared keys

define the IPSEC policy

specify interesting traffic

configure the crypto map

apply the crypto map to the interface

bypass nat (optional)


ISAKMP has to be enabled on an interface, this is the first part of configuring IKE phase 1.

ISAKMP enable  interface-name

interface-name general outside is used.


ISAKMP policy  defines  authentication, encryption, group, hash, and lifetime.


isakmp policy  priority  [authentication | encryption | group | hash | lifetime]

isakmp policy 10 Authentication  {des-sig | pre-share |rsa-sig}

I general have used a pre-share in all of the site-to-site vpn tunnels I have configured.

encryption is next  with options for 3des, AES, AES-192, AES-256, and des.

isakmp policy 10 encryption aes-256

group {1 | 2 | 5 | 7}

isakmp policy 10 group 2

Hash  {md5 | sha}

isakmp policy 10 hash sha

lifetime {128-2147483647}

isakmp policy 10 lifetime 28800


configure tunnel

There are 2 tunnel types remote access or site-to-site.

tunnel-group tunnel-group-name  type  tunnel_type

tunnel-group type IPsec-l2l

configure ISAKMP preshared keys

tunnel-group tunnel-group-name IPsec-attributes

tunnel-group IPsec-attributes

pre-shared-key  cisco2015


IPSEC policy

The IPsec policy is defined by the transform set. The transform set is made up by two parts encryption and hashing.

crypro ipsec transform-set transform-set-name {esp-3des | esp-aes | esp-aes-192 | esp-aes-256 | esp-des | esp-md5-hmac | esp-null | esp-sha-hmac}


crypto ipsec transform-set tunnel1 esp-aes-256 esp-sha-hmac


specify interesting traffic

An ACL is used to define interesting traffic.  generally this is done with just networks, however in recently defined between two hosts.


access-list crypto_map_1o extended permit ip


configure crypto map

crypto map must contain  transform-set, VPN peer and crypto ACL.

crypto map map-name seq-num    set  transform-set transform-set-name

crypto map map-name seq-num set peer  {ip-address | hostname}

cryptomap map-name seq-num match address acl-name


crypto map outside_map_2   10   set transform-set tunnel1

crypto map outside_map_2   10 set peer

crypto map outside_map_2 match crypto_map_10


crypto map applied to an interface

crypto map  map-name interface interface-name

crypto map outside_map_2 interface outside


traffic filtering with acl configured on outside interface.


Bypassing NAT

general  access-list nonat  add matching traffic to access-list. this access-list is applied via  nat (inside) 0 access-list nonat








Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s