Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation

Configuration Example

tunnel source fastethernet 0

tunnel destination interface 192.168.101.1

ip route 20.20.20.0 255.255.255.0 tunnel 1

crypto isakmp policy 1 encryption 3des authentication pre-share group 2

!

crypto isakmp client configuration group rtr-remote key secret-password

dns 10.50.10.1 10.60.10.1 domain company.com

pool dynpool

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto ipsec security-association lifetime seconds 86400

!

crypto dynamic-map dynmap 1 set transform-set vpn1 reverse-route

!

crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond

!

!Defines the key association and authentication for IPsec tunnel. crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 200.1.1.1

!Defines encryption and transform set for the IPsec tunnel. crypto ipsec transform-set set1 esp-3des esp-md5-hmac

!Associates all crypto values and peering address for the IPsec tunnel. crypto map to_corporate 1 ipsec-isakmp

set peer 200.1.1.1

set transform-set set1 match address 105

!VLAN 1 is the internal interface.

interface vlan 1

ip address 10.1.1.1 255.255.255.0 ip nat inside

ip inspect firewall in ! Inspection examines outbound traffic. crypto map static-map

no cdp enable

!

!FE4 is the outside or Internet-exposed interface interface fastethernet 4

ip address 210.110.101.21 255.255.255.0

!acl 103 permits IPsec traffic from the corp. router as well as

!denies Internet-initiated traffic inbound.

ip access-group 103 in

 

 

 

ip nat

outside

 

 

 

no cdp

enable

 

 

 

crypto

map to_corporate ! Applies the IPsec tunnel to the outside interface.

 

 

 

Cisco Secure Router 520 Series Software Configuration Guide

 

 

 

 

 

 

 

 

 

 

7-10

 

 

OL-14210-01

 

 

 

 

 

Page 86
Image 86
Cisco Systems 520 series manual Set transform-set set1 match address