Date created: Tuesday, April 23, 2013 5:53:53 PM. Last modified: Tuesday, April 23, 2013 5:54:23 PM

Aggressive Mode IPSEC

Template for LAN to LAN IPSEC tunnel on Cisco IOS using aggressive mode for mobile IPSEC client to m0n0Walls or similar

! Create an ISAKMP (Phase 1) policy, for the key exchange tunnel
!
crypto isakmp policy 10
 encr aes
 hash sha
 authentication pre-share
 lifetime 28800
!
!
! Specify a pre shared key (password) for the ISAKMP tunnel and set it to aggressive mode
! Also specify a username which becomes the "Identifier" for pre-shared keys on m0n0wall
!
crypto isakmp peer address 5.5.5.5
 set aggressive-mode password AAAAAASADSADSADSADASSDSA
 set aggressive-mode client-endpoint user-fqdn USERNAME
!
!
! create an ACL to match traffic that should be sent over the IPSEC
! So here, anything from the local net 10.0.58.0/24 to the remote net 5.5.5.0/24
! should be passed over the tunnel
!
access-list 110 remark IPSEC TO LONDON
access-list 110 permit ip 10.0.58.0 0.0.0.255 5.5.5.0 0.0.0.255
access-list 110 permit icmp 10.0.58.0 0.0.0.255 5.5.5.0 0.0.0.255
!
!
! Create a transform set policy for the phase 2 tunnel
!
crypto ipsec transform-set IPSEC-LONDON-AES-SHA esp-aes esp-sha-hmac 
!
!
! Now create an IPSEC (Phase 2) policy, for the data tunnel
!   
crypto map IPSEC-TO-LONDON 1 ipsec-isakmp 
 description IPSEC TO LONDON
 set peer 5.5.5.5
 set security-association lifetime seconds 28800
 set transform-set IPSEC-LONDON-AES-SHA 
 set pfs group1
 match address 110
!
!
! Enable the crypto map on the outgoing interface
!
interface Dialer1
 crypto map IPSEC-TO-LONDON

Previous page: TCP Session Dopping
Next page: Basic IPSEC Tunnel