Cisco VPN – Commands (site-to-site )

I very rarely setup site to site VPN’s  and was think that maybe this could be some additional information to add to blog setting outside the normal blog posts, so enjoy.

Some of you might find this information a little dated, but I am going to do this in reference to the commands I have used and IOS version that is on ASA’s I work with.  In the future may be updating this page as the environment I work with changes.

The steps for configuring a site-to-site IPSEC tunnel (l2l) follows:

enable ISAKMP

create ISAKMP policy

set tunnel type

create preshared keys

define the IPSEC policy

specify interesting traffic

configure the crypto map

apply the crypto map to the interface

bypass nat (optional)

 

ISAKMP has to be enabled on an interface, this is the first part of configuring IKE phase 1.

ISAKMP enable  interface-name

interface-name general outside is used.

 

ISAKMP policy  defines  authentication, encryption, group, hash, and lifetime.

 

isakmp policy  priority  [authentication | encryption | group | hash | lifetime]

isakmp policy 10 Authentication  {des-sig | pre-share |rsa-sig}

I general have used a pre-share in all of the site-to-site vpn tunnels I have configured.

encryption is next  with options for 3des, AES, AES-192, AES-256, and des.

isakmp policy 10 encryption aes-256

group {1 | 2 | 5 | 7}

isakmp policy 10 group 2

Hash  {md5 | sha}

isakmp policy 10 hash sha

lifetime {128-2147483647}

isakmp policy 10 lifetime 28800

 

configure tunnel

There are 2 tunnel types remote access or site-to-site.

tunnel-group tunnel-group-name  type  tunnel_type

tunnel-group 210.175.201.1 type IPsec-l2l

configure ISAKMP preshared keys

tunnel-group tunnel-group-name IPsec-attributes

tunnel-group 210.175.201.1 IPsec-attributes

pre-shared-key  cisco2015

 

IPSEC policy

The IPsec policy is defined by the transform set. The transform set is made up by two parts encryption and hashing.

crypro ipsec transform-set transform-set-name {esp-3des | esp-aes | esp-aes-192 | esp-aes-256 | esp-des | esp-md5-hmac | esp-null | esp-sha-hmac}

 

crypto ipsec transform-set tunnel1 esp-aes-256 esp-sha-hmac

 

specify interesting traffic

An ACL is used to define interesting traffic.  generally this is done with just networks, however in recently defined between two hosts.

 

access-list crypto_map_1o extended permit ip 192.168.18.0 255.255.255.0 192.168.19.0 255.255.255.0

 

configure crypto map

crypto map must contain  transform-set, VPN peer and crypto ACL.

crypto map map-name seq-num    set  transform-set transform-set-name

crypto map map-name seq-num set peer  {ip-address | hostname}

cryptomap map-name seq-num match address acl-name

 

crypto map outside_map_2   10   set transform-set tunnel1

crypto map outside_map_2   10 set peer  210.175.201.1

crypto map outside_map_2 match crypto_map_10

 

crypto map applied to an interface

crypto map  map-name interface interface-name

crypto map outside_map_2 interface outside

 

traffic filtering with acl configured on outside interface.

 

Bypassing NAT

general  access-list nonat  add matching traffic to access-list. this access-list is applied via  nat (inside) 0 access-list nonat

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s