Cisco IOS IPSec VPN, L2L plus EasyVPN

Download Template
L2L plus EasyVPN at the same time.

cstubbs
August 28, 2014
Username

User password



















!#### Common Configuration ####
!
crypto logging session
!
!### Standard set of "acceptable" encryption/hashing/PFS combinations.
!
crypto isakmp policy 10
 encr aes 256
 hash sha
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp policy 11
 encr aes 256
 hash sha
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 20
 encr aes 128
 hash sha
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp policy 21
 encr aes 128
 hash sha
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 30
 encr 3des
 hash sha
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp policy 31
 encr 3des
 hash sha
 authentication pre-share
 group 2
 lifetime 3600
!
!### Standard ESP transform sets with "acceptable" encryption/hashing.
crypto ipsec transform-set ESP-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA-HMAC esp-aes 128 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-HMAC esp-3des esp-sha-hmac
!
!### WARNING: May be required with some client software, e.g. classic Cisco VPN Client
crypto isakmp aggressive-mode disable
!
!#### EasyVPN Configuration ####
!
aaa authorization login EasyVPN local
aaa authorization network EasyVPN local
!
username %{VPN_USER}% secret %{VPN_USER_SECRET}%
!
ip local pool POOL-EasyVPN-1 172.31.252.1 172.31.252.254
!
ip access-list extended ACL-EasyVPN-Split-Path-1
 10 permit ip %{DESTINATION_NETWORK}% %{DESTINATION_WILDCARD}% 172.31.252.0 0.0.0.255
!
crypto isakmp client configuration group CRYPTO-EasyVPN-Client-Group-1
 key %{EASYVPN_KEY}%
 dns %{DNS_SERVER}%
 domain %{DNS_DOMAIN}%
 pool POOL-EasyVPN-1
 acl ACL-EasyVPN-Split-Path-1
!
crypto dynamic-map CRYPTO-MAP-Dynamic-1 10
 set transform-set ESP-AES256-SHA-HMAC ESP-AES128-SHA-HMAC ESP-3DES-SHA-HMAC
 reverse-route
!
crypto map CRYPTO-MAP-%{CRYPTO_MAP_DESCRIPTOR}% client authentication list EasyVPN
crypto map CRYPTO-MAP-%{CRYPTO_MAP_DESCRIPTOR}% client configuration address respond
crypto map CRYPTO-MAP-%{CRYPTO_MAP_DESCRIPTOR}% isakmp authorization list EasyVPN
crypto map CRYPTO-MAP-%{CRYPTO_MAP_DESCRIPTOR}% 65535 ipsec-isakmp dynamic CRYPTO-MAP-Dynamic-1
!
!#### LAN2LAN Configuration ####
!
interace Loopback0
 description <<< Loopback for routing and unique ID >>>
 ip address %{LOOPBACK0_ADDRESS}% 255.255.255.255
 no ip redirects
 no ip proxy-arp
!
interface Tunnel%{TUNNEL_NUMBER}%
 description <<< IPSec over GRE Tunnel, avoids NAT processing dramas. >>>
 ip address %{TUNNEL_IP_ADDRESS}% 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1420
 tunnel source %{EXTERNAL_INTERFACE}%
 tunnel destination %{L2L_PEER}%
!
router eigrp %{AS_NUMBER}%
 network 10.0.0.0 0.255.255.255
 network 172.16.0.0 0.15.255.255
 network 192.168.0.0 0.0.255.255
 passive-interface default
 no passive-interface Tunnel%{TUNNEL_NUMBER}%
 eigrp router-id %{LOOPBACK0_ADDRESS}%
!
crypto isakmp key %{L2L_PEER_KEY}% address %{L2L_PEER}% no-xauth
!
ip access-list CRYPTO-ACL-%{CRYPTO_MAP_DESCRIPTOR}%-1
 10 permit gre host %{SOURCE_HOST}% %{DESTINATION_HOST}%
!
crypto map CRYPTO-MAP-%{CRYPTO_MAP_DESCRIPTOR}% %{CRYPTO_MAP_SEQ_L2L}% ipsec-isakmp
 description <<< %{CRYPTO_MAP_SEQ_L2L_DESCRIPTION}%
 set peer %{L2L_PEER}%
 set transform-set ESP-AES256-SHA-HMAC ESP-AES128-SHA-HMAC ESP-3DES-SHA-HMAC
 match address %{CRYPTO_MAP_SEQ_L2L_SA_ACL}%
 qos pre-classify
!
!### Crypto Map with EasyVPN and L2L ####
!
interface %{EXTERNAL_INTERFACE}%
 crypto map CRYPTO-MAP-%{CRYPTO_MAP_DESCRIPTOR}%
 crypto ipsec df-bit clear
!

You must be logged in to comment.