IPSEC SITE TO SITE BETWEEN ROUTERS

Configuration Steps:

Step 1: Configure ISAKMP Policy

//An ISAKMP Policy defines the combination of parameters used for ISAKMP (Phase-1) tunnel negotiation//

           Router(config)#crypto isakmp policy <priority>

//We assign a unique priority number (1 through 10,000, with 1 being the highest priority) for each policy. The default value of the parameter will be assigned if we do not specify a value for the parameter//

           Router(config-policy)#encryption <encryption algorithm>

//Specify the encryption algorithm (Default is des)//

           Router(config-policy)#hash <hash algorithm >

//Specify the hash algorithm (Default is sha)//

           Router(config-policy)#group <Diffie Hellman group >

//Specify the diffie hellman group (Default is DH group 1) which decides the length of shared secret key generated by DH process//

           Router(config-policy)#authentication <authentication method >

//Specify the authentication method (Default is rsa-sig)//

           Router(config-policy)#lifetime <time in seconds>

//Specify the security association's lifetime—in seconds (Default is 86400 seconds)//


Step 2: Configure ISAKMP Key

           Router(config)#crypto isakmp key <#> < pre-shared-key> address <peer address>

# denotes 0 (unencrypted ) or 6(encrypted)

Step 3: Configure Mirrored ACL/Crypto ACL for interesting traffic

             Router(config)#access-list <#> permit <protocol>    <source address >   <destination address >

//Specify the interesting traffic (network or hosts to be protected)//


Step 4: Configure Transform set

             Router(config)#crypto ipsec transform-set <name > <encapsulation-encryption> < encapsulation-hash>

//Define a transform set and specify the protocols to be used for phase-2 tunnel//

             Router(cfg-crypto-trans)#mode   <transport or tunnel>

//To change the propagation mode associated with transform set. Transport mode is only applicable when our interesting traffic (proxy-id) and IPSEC peers are same //


Step 5: Configure Crypto Map

             Router(config)#crypto map <name> <#> ipsec-isakmp

// Specify a sequence number for the crypto map we created, and configure the crypto map to use IPSec to establish SAs//

           Router(config-crypto-map)#set peer   <peer address>
// Specify a remote IPSec peer (we can use either host name or IP address)//
           Router (config-crypto-map)#match address   <Mirror ACL #>
// This access list determines which traffic is protected by IPSec //
           Router (config-crypto-map)#set transform-set   <name>
//Specify which transform sets are allowed for this crypto map entry. We can mention multiple transform sets (highest priority first)//

Step 6: Apply Crypto Map to an Interface

             Router(config)#interface <interface number>
//Go to the interface on which we want to apply the crypto map//
             Router(config-if)#crypto map <crypto map name>
//Call the corresponding crypto map using its name//
Note: We can call only one crypto map under one interface.

  VERIFICATION COMMANDS:

Router#show crypto isakmp policy

Router#show access-lists <#>

Router#show crypto ipsec transform-set

Router#show crypto map

Router#show crypto map interface <interface number>

IPSec Tunnel Formation Debug Commands