close
Top Panel
Top Panel
Top Panel
IOS IPSec Site-to-Site with VTI PDF Print E-mail
Written by Alexei Spirin   
Monday, 20 December 2010 20:55

Thank God Cisco has invented a Virtual Tunnel Interfaces so we don't need to use crypto-maps anymore. The key is that "encryption decision" is based on a routing decision, i.e. if a router decides to route some traffic through a tunnel interface that means it will be encrypted. And we all know how to handle routing. Right? I consider this config as the quickest and easiest way to configure Site-to-Site IPSec VPN.


IOS IPsec: Peer A
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key PleaseChangeMe! address 192.168.2.13
crypto ipsec transform-set ts1 esp-aes esp-sha-hmac
crypto ipsec profile crP1
set transform-set ts1
!
interface Tunnel13
description VPN to Peer B
ip address 10.0.0.1 255.255.255.252
tunnel source 192.168.1.13
tunnel destination 192.168.2.13
tunnel mode ipsec ipv4
tunnel protection ipsec profile crP1
!
interface GigabitEthernet0/0
description WAN Cloud
ip address 192.168.1.13 255.255.255.0
!
router ospf 13
log-adjacency-changes
passive-interface default
no passive-interface Tunnel13
!
ip route 192.168.2.13 255.255.255.255 GigabitEthernet0/0 192.168.1.1 permanent


IOS IPsec: Peer B
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key PleaseChangeMe! address 192.168.1.13
crypto ipsec transform-set ts1 esp-aes esp-sha-hmac
crypto ipsec profile crP1
set transform-set ts1
!
interface Tunnel13
description VPN to Peer A
ip address 10.0.0.2 255.255.255.252
tunnel source 192.168.2.13
tunnel destination 192.168.1.13
tunnel mode ipsec ipv4
tunnel protection ipsec profile crP1
!
interface GigabitEthernet0/0
description WAN Cloud
ip address 192.168.2.13 255.255.255.0
!
router ospf 13
log-adjacency-changes
passive-interface default
no passive-interface Tunnel13
!
ip route 192.168.1.13 255.255.255.255 GigabitEthernet0/0 192.168.2.1 permanent

The 10/8 network is considered as a corporate internal address range. 192.168/16 as a WAN cloud address range. 192.168.x.1 as provider edge routers

Note the static routes, we need them to prevent a recursive routing

Last Updated on Monday, 20 December 2010 21:09