Date created: Wednesday, October 31, 2012 12:06:27 PM. Last modified: Monday, July 29, 2013 3:47:00 PM

Basic IPSEC Tunnel

A basic IPSEC tunnel (not the most secure!)

! Create an ISAKMP (Phase 1) policy, for the key exchange tunnel
!
crypto isakmp policy 30
 encr 3des
 hash md5
 authentication pre-share
 lifetime 3600
!
!
! Specify a pre shared key for the ISAKMP tunnel
!
crypto isakmp key 0 5up3rs4f3k33y address 123.123.123.123
!
! '0' above means this is an unencrypted string being provided, so '5up3rs4f3k33y' would be the clear text key above
!
!
! create an ACL to match traffic that should be sent over the IPSEC
! So here, anything from the local net 10.0.0./24 to the remote net 192.168.0.0/24
! should be passed over the tunnel
!
access-list 130 remark BACKUP IPSEC TO LONDON
access-list 130 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
! Create a transform set policy for the phase 2 tunnel
!
crypto ipsec transform-set LONDON-3DES-MD5 esp-3des esp-md5-hmac 
!
!
! Now create an IPSEC (Phase 2) policy, for the data tunnel
!
crypto map IPSEC-BACKUP-TO-LONDON 1 ipsec-isakmp    ! "ipsec-sakmp" here tells the router to use IKE
 description Backup IPSEC tunnel to back-firewall.xyz.net
 set peer 123.123.123.123  ! This is the remote peer we are tunneling with
 set transform-set LONDON-3DES-MD5 
 set pfs group1
 match address 130
!
!
! Enable the crypto map on the incoming interface
!
interface FastEthernet0/0
 crypto map IPSEC-BACKUP-TO-LONDON