Cisco Router: Setup Site-to-Site VPN

First, you need to make sure your router supports crypto command and have HSECK9 license for greater VPN output.  Use the following command to check on the licenses on your Cisco router.

show license

In order to create a site to site VPN, you will need the following crypto policy, crypto key.

192.168.1.1 is the outside IP address of the router A

Router A’s internal network is 203.255.2.0/24

Router B’s internal network is 199.255.128.0/24

172.16.100.249 is the outside IP address of the router B

your_preshared_key_goes_here is your encryption key.

Below is router A’s crypto configuration.

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 28800
!
crypto isakmp identity address
!
crypto isakmp key your_preshared_key_goes_here address 172.16.100.249 no-xauth
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
ip access-list extended ROUTERB-ACL-MAP
 permit ip 203.255.2.0 0.0.0.255 199.255.128.0 0.0.0.255
!
crypto map MPLS_MAP 10 ipsec-isakmp
 match address ROUTERB-ACL-MAP
 set peer 172.16.100.249
 set transform-set ESP-AES-SHA
 set pfs group14
!
interface GigabitEthernet0/0/0
 crypto map MPLS_MAP

Below is the router B’s crypto configuration

crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 28800
!
crypto isakmp identity address
!
crypto isakmp key your_preshared_key_goes_here address 192.168.1.1 no-xauth
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
ip access-list extended ROUTERA-ACL-MAP
 permit ip 199.255.128.0 0.0.0.255 203.255.2.0 0.0.0.255
!
crypto map MPLS_MAP 10 ipsec-isakmp
 match address ROUTERA-ACL-MAP
 set peer 192.168.1.1
 set transform-set ESP-AES-SHA
 set pfs group14
!
interface GigabitEther0/0/0
 crypto map MPLS_MAP

Comments are closed