Cisco Site to Site VPN Setup

Dec.10, 2008 in Cisco, VPN configuration, cisco config, site to site VPN

I have worked in the I.T. world for a while now and to this day, I see so many issues when people are trying to setup a site to site vpn. Of course there are many routers that can do this but because I think Cisco is the gold standard in networking, I would like to share a simple site-to-site setup I use with you.

This article assumes you have the Cisco routers on both ends setup and you are ready to get the tunnel up. Here is the simple list of steps to get this thing going. And remember, this is a basic configuration. You may need some more specific access lists to accomplish your goal.

!!Lets setup a site to site shall we!!
!!Apply the crypto map to the outside interface

Interface gig 0/1 crypto map tunnel-map

!!Now lets setup our policies

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

!!We need a preshared key dont we

crypto isakmp key !yourkey! address x.x.x.x

!!Now for the transform set

crypto ipsec transform-set Here-to-There esp-3des esp-md5-hmac

!!And now its time for the tunnel map

crypto map tunnel-map 10 ipsec-isakmp
set peer x.x.x.x (Remote Wan IP)
set transform-set Here-to-There
match address VPN

!!And of course the access list

ip access-list extended VPN permit ip 10.0.0.0 0.0.0.255 x.x.x.x 0.0.0.255 log

!!Dont forget to deny it from the nat list and remember that the deny statement should come before you permit the rest of the traffic.

ip access-list extended NAT
deny ip 10.0.0.0 0.0.0.255 x.x.x.x 0.0.0.255

To test these settings use the show crypto session commands and you should get something like this.

RouterA# sh crypto session

Crypto session current status
Interface: GigabitEthernet0/1Session status: UP-ACTIVE
Peer: x.x.x.xport 500
IKE SA: local x.x.x.x/500 remote x.x.x.x/500 Active
IKE SA: local x.x.x.x/500 remote x.x.x.x/500 Active
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 10.0.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 10.0.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

Thats it, pretty simple stuff huh? You just have to change the IPs to match your needs and put this in on both sides and it should work fine for you. If you have any problems post a comment and I will try to help.

Welcome to the IronTech Tech Blog

IronTech Solutions is an IT consulting company in Houston that provides IT support to businesses all over the United States. Our Tech Blog contains posts of interesting issues and fixes we come across in the IT World including products from Microsoft, Cisco, VMware, Citrix, Blackberry, etc.

Categories
Archives
- July 2010 (118)
- June 2010 (1)
- February 2009 (1)
- January 2009 (5)
- December 2008 (9)
Sponsors

IronTech Solutions Tech Blog

Interesting issues and fixes we come across in the IT World