2. A static IP address on the EXTERNAL interface of your
router
Needs to be in the 192.168.203.X range for this class (all
examples will use this IP range)
Cisco 2911
Access to the router as exec
Patience
Remember to check your work before you commit the
changes
Remember Write MEM
A backup of your router configuration before doing this
Just in case bad things happen to good people
3. http://www.routergeek.net/general/how-to-configure-
site-to-site-vpn-in-cisco-routers/ provides good step
by step in case you need it
http://samcaldwell.net/index.php/technical-
articles/3-how-to-articles/83-cisco-vpn-part-i provides
good background support for setting up a site to site
VPN in a Cisco router
http://www.fredshack.com/docs/vpnios.html
somewhat convoluted but workable – use as a backup
resource in case something goes wrong
4. Create an IKE (Internet Key Exchange) policy for your
router
1. Router(config)#crypto isakmp policy 9
2. Router(config-isakmp)#hash md5
3. Router(config-isakmp)#authentication pre-share
5. Router(config)#crypto isakmp key VPNKEY address
192.168.203.25
Where the VPNKEY is the shared key that you will use
for the VPN, and remember to set the same key on the
other end
VPNKEY = keyR7ToR5 to help with the naming
convention
192.168.203.25 the static public IP address of the
other end
6. Router(config)#crypto ipsec security-association
lifetime seconds YYYYY
where YYYYY is the associations lifetime in seconds. It is
usually used as 86400, which is one day.
7. Router(config)#access-list AAA permit ip
SSS.SSS.SSS.SSS WIL.DCA.RDM.ASK
DDD.DDD.DDD.DDD WIL.DCA.RDM.ASK
Access-list AAA permit ip 192.168.203.25 0.0.0.255
192.168.203.26 0.0.0.255
Where 203.26 is the Active Directory server or other
computer on the network that will pass data back
and forth between racks in the VPN
Where WIL.DCA.RDM.ASK = wild card mask of the
network, the reverse subnet for a flat “C” network
8. Define the transformations set that will be used for the
VPN connection
Router(config)#crypto ipsec transform-set
SETNAME AAAA BBBB
Where SETNAME is the name of the transformations
set. You can choose any name you like. Naming is
important to keep track of the transforms
BBBB and CCCCC is the transformation set. I
recommend the use of “esp-3des esp-md5-hmac”.
9. Router(config)#crypto map MAPNAME PRIORITY ipsec-
isakmp
Router(config-crypto-map)#set peer 192.168.203.25
Router(config-crypto-map)#set transform-set SETNAME
Router(config-crypto-map)#match address AAA
Where MAPNAME is a name of your choice to the crypto-map
PRIORITY is the priority of this map over other maps to the
same destination. If this is your only crypto-map give it any
number, for example 10.
192.168.203.25 the static public IP address of the other end
SETNAME is the name of the transformations set that we
configured in step 5
AAA is the number of the access-list that we created to define
the traffic in step 4
10. Router(config-if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that
we defined in step 6.
Now, repeat these steps on the other end, and
remember to use the same key along with the same
authentication and transform set.
11. Repeat steps 2, 4, 5, 6, 7 for each VPN you want to set
up for each connection point
R3, R4, R5, R6, R7 in all you will have 5 VPN
connections in your router configuration
Remember to skip step 3
This is step 3, this is a global configuration that will work
on all VPN’s connected to the router
Router(config)#crypto ipsec security-association
lifetime seconds YYYYY
12. show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
and show crypto map
All those should show what you entered
Then write mem
Then do a show run to see if everything took after write
mem