Cisco IOS IPSec L2L VPN with AES PSK Encryption

Example of Cisco IOS IPSec LAN2LAN VPN with local on device AES (type 6) encryption of PSK's to protect them. WARNING - This will encrypt your PSK with non-reversible encryption. MAKE SURE YOU HAVE A SECURE BACKUP OF IT. Notes: - xauth is disabled for the peer - AES 256 with PFS using group 5 for phase 1 ISAKMP. - AES 256 with SHA HMAC for phase 2 ESP. - Ingress ACL filter used to immediately filter traffic received over VPN. - DF bit is cleared on applied interface. - Reverse route injection used to add a specific route to table

cstubbs
February 16, 2012

















key config-key password-encrypt %{PSK_ENCRYPTION_KEY}%
password encryption aes
!
ip access-list extended %{CRYPTO_ACL_NAME}%
 permit ip %{CRYPTO_SA_SOURCE_NET}% %{CRYPTO_SA_SOURCE_WILDCARD}% %{CRYPTO_SA_DESTINATION_NET}% %{CRYPTO_SA_DESTINATION_WILDCARD}%
!
ip access-list extended %{INGRESS_ACL_NAME}%
 permit ip %{ACL_SOURCE_NET}% %{ACL_SOURCE_WILDCARD}% %{ACL_DESTINATION_NET}% %{ACL_DESTINATION_WILDCARD}%
 deny ip any any log-input
!
crypto isakmp key %{PSK_KEY}% address %{PEER_ADDRESS}% no-xauth
!
crypto isakmp policy %{ISAKMP_POLICY_SEQ}%
 encr aes 256
 authentication pre-share
 group 5
!
crypto ipsec transform-set ESP-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac
!
crypto map %{CRYPTO_MAP_NAME}% %{CRYPTO_MAP_SEQ}% ipsec-isakmp
 description <<< %{USEFUL_DESCRIPTION}% >>>
 set peer %{PEER_ADDRESS}%
 set ip access-group %{INGRESS_ACL_NAME}% in
 set transform-set ESP-AES256-SHA-HMAC
 match address %{CRYPTO_ACL_NAME}%
 reverse-route
!
interface GigabitEthernet0/1
 crypto map %{CRYPTO_MAP_NAME}%
 crypto ipsec df-bit clear
!