Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Site-to-Site Cisco VPN

  • Filter
  • Time
  • Show
Clear All
new posts

  • Site-to-Site Cisco VPN

    Hi Guys,

    I am currently trying to configure a VPN link between 2 sites, I have replaced some crypto maps with ipsec tunnel interfaces instead.

    However I am unsure what configuration lines are still required below is snippets of the configuration, both sites have similar configurations however the documentation I found doesn't show the use of crypto isakmp policy line but when I remove it the link fails to establish.

    crypto isakmp policy 3
     encr 3des
     hash md5 
     authentication pre-share
     group 2
     lifetime 20000
    crypto isakmp key keygoeshere address
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
    crypto ipsec profile Site-to-Site
     set transform-set ESP-3DES-SHA1 
    interface Tunnel0
     description --- Connection to WA ---
     ip address
     tunnel source Dialer1
     tunnel destination
     tunnel mode ipsec ipv4
     tunnel path-mtu-discovery
     tunnel protection ipsec profile Site-to-Site
    router rip
     version 2
     passive-interface Vlan1

  • #2
    Re: Site-to-Site Cisco VPN

    Actually got instant response on another forum so thought I would post the answer here for the records...

    Basically my set up is to use IPSec DVTIs rather then crypto maps, my question was do i need the isakmp policies.

    If you plan to use IPsec as the VPN protocol, you cannot remove the crypto isakmp policy (because it is used for phase 1 negotiation between the VPN endpoints).

    You're using IPsec profiles, is this because you're establishing VTI or GRE VPN tunnels?
    What kind of VPN are you trying to establish?

    The number in the crypto isakmp policy is just a local identifier (it does not matter which number it is).
    The only role of that number is that when a VPN connection against the router is attempted, the peer will look at the crypto isakmp policies in sequential order until finding a match. (so the number is only relevant in case you have multiple crypto isakmp policies and you need to have them in certain order).

    The advantage of using VTI is that it simplifies configuration and allows multicast traffic to pass through the tunnel (as opposed to regular IPsec traffic which only allows IP unicast packets).

    You should not have a problem with the implementation. Let us know if you have any questions.