RouterGeek » How to Configure Site-to-Site VPN in Cisco Routers

RouterGeek » How to Configure Site-to-Site VPN in Cisco Routers:
How to Configure Site-to-Site VPN in Cisco Routers

When would you need this: When you want to create a secure tunnel to transfer data between two sites without the use of VPN concentrator or other security devices.
Special Requirements: The routers used must support IPSec. Most of Cisco routers do. Another need is that both sides use a static public IP address to connect to the Internet.

We will go through the steps to be done on one side and the same steps must be repeated on the other side too. The encryption of data will depend on a shared-key. This way, we will not need specialized CAs or RSA methodologies. If you have a hub-and-spoke topology, refer to the note in the bottom.
1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9, because this policy requires a pre-shared key.
Router(config)#crypto isakmp policy 9
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
2. Setup the shared key that would be used in the VPN,
Router(config)#crypto isakmp key VPNKEY address XXX.XXX.XXX.XXX
VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end.
XXX.XXX.XXX.XXX the static public IP address of the other end.
3. Now we set lifetime for the IPSec security associations,
Router(config)#crypto ipsec security-association lifetime seconds YYYYY
where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.
4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,
Router(config)#access-list AAA permit ip SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
AAA is the access-list number
SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK is the source of the data allowed to use the VPN link.
DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK is the destination of the data that need to pass though the VPN link.
5. Define the transformations set that will be used for this VPN connection,
Router(config)#crypto ipsec transform-set SETNAME BBBB CCCCC
SETNAME is the name of the transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.


Packet Life

Packet Life: Community Lab

This is a great site.  Including this link to a lab with modern equipment available for training purposes.