Cisco IOS IPSec L2L VPN with AES PSK Encryption

Download Template
Example of Cisco IOS IPSec LAN2LAN VPN with local on device AES (type 6) encryption of PSK's to protect them. WARNING - This will encrypt your PSK with non-reversible encryption. MAKE SURE YOU HAVE A SECURE BACKUP OF IT. Notes: - xauth is disabled for the peer - AES 256 with PFS using group 5 for phase 1 ISAKMP. - AES 256 with SHA HMAC for phase 2 ESP. - Ingress ACL filter used to immediately filter traffic received over VPN. - DF bit is cleared on applied interface. - Reverse route injection used to add a specific route to table

February 16, 2012

key config-key password-encrypt %{PSK_ENCRYPTION_KEY}%
password encryption aes
ip access-list extended %{CRYPTO_ACL_NAME}%
ip access-list extended %{INGRESS_ACL_NAME}%
 deny ip any any log-input
crypto isakmp key %{PSK_KEY}% address %{PEER_ADDRESS}% no-xauth
crypto isakmp policy %{ISAKMP_POLICY_SEQ}%
 encr aes 256
 authentication pre-share
 group 5
crypto ipsec transform-set ESP-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac
crypto map %{CRYPTO_MAP_NAME}% %{CRYPTO_MAP_SEQ}% ipsec-isakmp
 description <<< %{USEFUL_DESCRIPTION}% >>>
 set peer %{PEER_ADDRESS}%
 set ip access-group %{INGRESS_ACL_NAME}% in
 set transform-set ESP-AES256-SHA-HMAC
 match address %{CRYPTO_ACL_NAME}%
interface GigabitEthernet0/1
 crypto map %{CRYPTO_MAP_NAME}%
 crypto ipsec df-bit clear

You must be logged in to comment.