• In part 1 I laid out the general configuration that I will be disusing through this series of posts.
  • In Part 2 I discussed ISAKMP polices.
  • Part 3 I discussed Transform-sets
  • Part 3 I will wrap it up and go over the last parts.

Pre-shared key

As we are using a pre-shared key we need to define that. in practice you will want to use a much better key than vpnuser.

crypto isakmp key vpnuser address 172.16.1.1

Access-list

We will be using a access-list to match on traffic we would like to go through the tunnel. Nothing extensive here just a basic ACL.

access-list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255

One thing to note any traffic not bound to the remote end of the tunnel will not be encrypted.

Crypto map

Our crypto map is what will tie all of these together and be used to apply them to an interface.

crypto map mymap 10 ipsec-isakmp
     set peer 172.16.1.1 ! Remote end of the tunnel
     set transform-set myset ! using the transform set we defined earlier.
     match address 100 ! encrypt any traffic matching this ACL

The 10 is the priority number this would come into play if you have multiple crypto maps.

The last part is applying this map to an interface

interface FastEthernet0/1
      ip address 10.0.0.2 255.255.255.0
      crypto map mymap

This is the end of this multi part guide. I hope that you found this helpful. In the future I will be doing some posts about using RSA keys vs pre-shared keys.