Cisco IOS IPSEC template

Command
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2

crypto isakmp key [Shared-key] address [Remote-External-IP]

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
IPSEC configuration

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

ip access-list extended Crypto-list

permit ip [Local-Int-NetID] [Local-Int-RMask] [Remote-Int-NetID] [Remote-Int-RMask]

crypto map VPN-Map-1 10 ipsec-isakmp

set peer [Remote-External-IP]

set transform-set [Algorithm-preset]
set pfs group2
match address Crypto-list

interface [External-Interface]
crypto map VPN-Map-1

ip access-list extended [Firewall-policy-name]

permit udp host [Remote-External-IP] any eq isakmp
permit esp host [Remote-External-IP] any

Copyright ©2006 CNET Networks, Inc. All rights reserved.

To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.
 Version: 1.0
emplate October 25, 2006

Purpose
This creates a new isakmp policy, the number here usually doesn't matter
Sets encryption to triple-DES
Sets hash algorithm to SHA-1
Sets authentication type to a pre-shared key between IPSEC peers
Sets policy to use Diffie-Hellman group 2 type (768 bit key)

This sets the pre-shared key for a specific IPSEC peer

This defines a list of common preset algorithms. The preset name is the word right
after "transform-set". Most of the newer IOS software images will support compression
and AES encryption. Older ones will only support 3DES encryption. Some of the
images will only support DES.

Creates an access list that defines what goes into the tunnel
You can create multiple lists of source, destination, and services

Creates an IPSEC map. You can have multiple tunnels per interface by incrementing
the "10" on the next map with the same name "VPN-Map-1".
Defines the IP address of the remote peer
Sets the algorithm preset we defined above
Enables perfect forwarding secret
Defines the access list we created earlier of what goes into the tunnel

Enters the external interface configuration

Attaches map "VPN-Map-1" to this interface. Only one map per interface allowed.

Enters the external firewall policy for controlling inbound traffic

Permits IPSEC IKE setup from the peer
Permits IPSEC payload from the peer

works, Inc. All rights reserved.

membership, please visit http://downloads.techrepublic.com.
Variable name User defined
[Shared-key] Fe45tsdHk348dgK89eAa
[Remote-External-IP] 216.36.81.74
[Local-Int-NetID] 192.168.20.0
[Local-Int-RMask] 0.0.0.255
[Remote-Int-NetID] 192.168.22.0
[Remote-Int-RMask] 0.0.0.255
[Algorithm-preset] sha
[External-Interface] Serial0/0/0
[Firewall-policy-name] IPSEC-Carson

Copyright ©2006 CNET Networks, Inc. All rights reserved.

To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.
 Description
This is the secret key used for IPSEC; both ends need to be the same.
Replace
This is the external IP address of the peer router
This is the internal network ID of the local network
This is the reverse-subnet mask of the local network Reference Sheet Name:
This is the internal network ID of the remote network
This is the reverse-subnet mask of the remote network
This configures the tunnel for one of the algorithm presets
This is the external interface of the local VPN router
In order for IPSEC VPN to work, we must open up some ports for the
tunnel to come through the firewall. Note that this default value matches
the policy in our Cisco 851W template. You need to change it to whatever
you're using for your inbound firewall ACL or stay with the defaults if you're
using our previous Cisco 851W template.

yright ©2006 CNET Networks, Inc. All rights reserved.

your free TechRepublic membership, please visit http://downloads.techrepublic.com.
IPSEC
 Cisco IOS IPSEC template

Command
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2

crypto isakmp key Fe45tsdHk348dgK89eAa address 216.36.81.74

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
IPSEC configuration

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

ip access-list extended Crypto-list

permit ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 216.36.81.74

set transform-set 3DES-SHA-compression
set pfs group2
match address Crypto-list

interface Serial0/0/0
crypto map VPN-Map-1

ip access-list extended IPSEC-Carson

permit udp host 216.36.81.74 any eq isakmp
permit esp host 216.36.81.74 any

Copyright ©2006 CNET Networks, Inc. All rights reserved.

To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.
 Version: 1.0
emplate October 25, 2006

Purpose
This creates a new isakmp policy, the number here usually doesn't matter
Sets encryption to triple-DES
Sets hash algorithm to SHA-1
Sets authentication type to a pre-shared key between IPSEC peers
Sets policy to use Diffie-Hellman group 2 type (768 bit key)

This sets the pre-shared key for a specific IPSEC peer

This defines a list of common preset algorithms. The preset name is the word right
after "transform-set". Most of the newer IOS software images will support compression
and AES encryption. Older ones will only support 3DES encryption. Some of the imag

Creates an access list that defines what goes into the tunnel
You can create multiple lists of source, destination, and services

Creates an IPSEC map. You can have multiple tunnels per interface by incrementing
the "10" on the next map with the same name "VPN-Map-1".
Defines the IP address of the remote peer
Sets the algorithm preset we defined above
Enables perfect forwarding secret
Defines the access list we created earlier of what goes into the tunnel

Enters the external interface configuration

Attaches map "VPN-Map-1" to this interface. Only one map per interface allowed.

Enters the external firewall policy for controlling inbound traffic

Permits IPSEC IKE setup from the peer
Permits IPSEC payload from the peer

works, Inc. All rights reserved.

membership, please visit http://downloads.techrepublic.com.
 Cisco IOS IPSEC template

Command
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2

crypto isakmp key Fe45tsdHk348dgK89eAa address 216.36.81.74

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
IPSEC configuration

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

ip access-list extended Crypto-list

permit ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 216.36.81.74

set transform-set sha
set pfs group2
match address Crypto-list

interface Serial0/0/0
crypto map VPN-Map-1

ip access-list extended IPSEC-Carson

permit udp host 216.36.81.74 any eq isakmp
permit esp host 216.36.81.74 any

Copyright ©2006 CNET Networks, Inc. All rights reserved.

To see more downloads and get your free TechRepublic membership, please visit http://downloads.techrepublic.com.
 Version: 1.0
emplate October 25, 2006

Purpose
This creates a new isakmp policy, the number here usually doesn't matter
Sets encryption to triple-DES
Sets hash algorithm to SHA-1
Sets authentication type to a pre-shared key between IPSEC peers
Sets policy to use Diffie-Hellman group 2 type (768 bit key)

This sets the pre-shared key for a specific IPSEC peer

This defines a list of common preset algorithms. The preset name is the word right
after "transform-set". Most of the newer IOS software images will support compression
and AES encryption. Older ones will only support 3DES encryption. Some of the imag

Creates an access list that defines what goes into the tunnel
You can create multiple lists of source, destination, and services

Creates an IPSEC map. You can have multiple tunnels per interface by incrementing
the "10" on the next map with the same name "VPN-Map-1".
Defines the IP address of the remote peer
Sets the algorithm preset we defined above
Enables perfect forwarding secret
Defines the access list we created earlier of what goes into the tunnel

Enters the external interface configuration

Attaches map "VPN-Map-1" to this interface. Only one map per interface allowed.

Enters the external firewall policy for controlling inbound traffic

Permits IPSEC IKE setup from the peer
Permits IPSEC payload from the peer

works, Inc. All rights reserved.

membership, please visit http://downloads.techrepublic.com.