Cisco Router Site to Site IPSEC VPN

This is my Cisco router site to site IPSEC tunnel setups.

Router1 (90.215.78.91):

Setup IPSEC

!
 crypto isakmp policy 10
 hash md5
 authentication pre-share
 crypto isakmp key c1sc0 address 81.136.245.108
 !
 !
 crypto ipsec transform-set secretkey esp-des esp-md5-hmac
 !
 crypto map mymap 10 ipsec-isakmp
 set peer 81.136.245.108
 set transform-set secretkey
 match address 101
 !

 

Setup Route

ip route 192.168.2.0 255.255.255.0 Dialer0

Setup the access lists, remember to add the deny rule for the local subnet to the remote subnet in your NAT accesslist, if not the traffic is NATed and your routing will not work

ip nat inside source list 100 interface Dialer0 overload

 access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 access-list 100 permit ip 192.168.1.0 0.0.0.255 any
 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 dialer-list 1 protocol ip permit
 !

 

Router2 (81.136.245.108):

Setup IPSEC

!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key c1sc0 address 90.215.78.91
!
!
crypto ipsec transform-set secretkey esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 90.215.78.91
set transform-set secretkey
match address 101
!

Setup Route

ip route 192.168.1.0 255.255.255.0 Dialer0

 

Setup Access lists

ip nat inside source list 100 interface Dialer0 overload

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

 

 

Cisco ASA site to site VPN

Setup ASA Site to Site VPN:

This is a guide to setup Cisco ASA site to site VPN, I am connection out to a remote peer of 1.1.1.1. In reality this will be your remote public IP

Setup your crypto ipsec proposal’s

crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
 crypto ipsec security-association pmtu-aging infinite

!
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

 

Now create your access list for the remote local network, in this case i’ve called access-list WAN_cryptomap_3

access-list WAN_cryptomap_3 extended permit ip object 192.168.1.0 object 192.168.17.0_24

Now create the Site to Site policy, enter the public address you want to setup your tunnel to. In this case I am using a dummy IP of 1.1.1.1 as i don’t want to give out my real public addresses.
1.1.1.1 is the public address of the peer. You need to reference the access-list you created before hand (WAN_cryptomap_3)

crypto map WAN_map 3 match address WAN_cryptomap_3
 crypto map WAN_map 3 set peer 1.1.1.1
 crypto map WAN_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
 crypto map WAN_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

Now create the IPSEC polices for the pre-shared key and connection attributes, i.e encryption, lifetime ect…

group-policy GroupPolicy_1.1.1.1 internal
 group-policy GroupPolicy_1.1.1.1 attributes
  vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.1.1.1 type ipsec-l2l
 tunnel-group 1.1.1.1 general-attributes
  default-group-policy GroupPolicy_1.1.1.1
 tunnel-group 1.1.1.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****

 crypto ca trustpool policy
 crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400

Lastly you need to create a NAT rule to tell the firewall NOT to NAT the traffic for the remote destination network

nat (WAN,WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.17.0_24 192.168.17.0_24 no-proxy-arp route-lookup