Cisco IOS IPSec L2L VPN with AES PSK Encryption

Download Template
Example of Cisco IOS IPSec LAN2LAN VPN with local on device AES (type 6) encryption of PSK's to protect them. WARNING - This will encrypt your PSK with non-reversible encryption. MAKE SURE YOU HAVE A SECURE BACKUP OF IT. Notes: - xauth is disabled for the peer - AES 256 with PFS using group 5 for phase 1 ISAKMP. - AES 256 with SHA HMAC for phase 2 ESP. - Ingress ACL filter used to immediately filter traffic received over VPN. - DF bit is cleared on applied interface. - Reverse route injection used to add a specific route to table

cstubbs
February 16, 2012

















key config-key password-encrypt %{PSK_ENCRYPTION_KEY}%
password encryption aes
!
ip access-list extended %{CRYPTO_ACL_NAME}%
 permit ip %{CRYPTO_SA_SOURCE_NET}% %{CRYPTO_SA_SOURCE_WILDCARD}% %{CRYPTO_SA_DESTINATION_NET}% %{CRYPTO_SA_DESTINATION_WILDCARD}%
!
ip access-list extended %{INGRESS_ACL_NAME}%
 permit ip %{ACL_SOURCE_NET}% %{ACL_SOURCE_WILDCARD}% %{ACL_DESTINATION_NET}% %{ACL_DESTINATION_WILDCARD}%
 deny ip any any log-input
!
crypto isakmp key %{PSK_KEY}% address %{PEER_ADDRESS}% no-xauth
!
crypto isakmp policy %{ISAKMP_POLICY_SEQ}%
 encr aes 256
 authentication pre-share
 group 5
!
crypto ipsec transform-set ESP-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac
!
crypto map %{CRYPTO_MAP_NAME}% %{CRYPTO_MAP_SEQ}% ipsec-isakmp
 description <<< %{USEFUL_DESCRIPTION}% >>>
 set peer %{PEER_ADDRESS}%
 set ip access-group %{INGRESS_ACL_NAME}% in
 set transform-set ESP-AES256-SHA-HMAC
 match address %{CRYPTO_ACL_NAME}%
 reverse-route
!
interface GigabitEthernet0/1
 crypto map %{CRYPTO_MAP_NAME}%
 crypto ipsec df-bit clear
!

You must be logged in to comment.