Understanding Cisco IOS VPN tunnels (keep it simple when your just getting started)
Many times our Cisco Managed Services clients need a quick IOS tunnel for a new extranet or wan connection.
Here’s our basic config (note: the MTU gotcha - having this fixed really helps performance over the tunnel especially with MS RDP traffic)
! dont forget to deny nat for the private to private in your nat acl
ip access-list ext nat-permit
deny ip 10.10.1.0 0.0.0.255 10.20.0.0 0.0.255.255
! create crypto acl to match tunnel traffic
ip access-list extended officeoffice-to-colo
permit ip 10.10.1.0 0.0.0.255 10.20.0.0 0.0.255.255
! create phase 1 policy
crypto isakmp policy 10
encr aes
hash sha
authentication pre-share
group 2
! configure pre-shared key
crypto isakmp key officekey#@! address 12.34.56.78 no-xauth
! configure phase 2 transform
crypto ipsec transform-set ESP-AES-SHA-HMAC esp-aes esp-sha-hmac
! configure crypto map
crypto map secure 100 ipsec-isakmp
set peer 12.34.56.78
set security-association lifetime seconds 86400
set transform-set ESP-AES-SHA-HMAC
match address officeoffice-to-colo
! fix interface mtu tunnel issues on ingress interface
interface f0/1
description inside
ip mtu 1412
ip tcp adjust-mss 1360
! apply crypto map to router’s internet facing interface
interface f0/0
description outside
crypto map secure
