IPSEC VPN on Cisco IOS

This is a configuration example for a Cisco IOS Router – using a Route-Based IPSEC VPN.

The VPN is using AES256-cbc encryption, SHA256 hash, and Group 20 DH PFS with Pre-Shared Key Authentication. (We’re also disabling the IPSEC SA byte lifetime to match another device.)

Define the IKE Policy (Phase 1):

crypto isakmp policy 1
 encr aes 256
 hash sha384
 authentication pre-share
 group 20

Define the Pre-Shared Key:

crypto isakmp key STRONG-KEY address REMOTE-ADDRESS

Define Transform-Set and IPSEC Profile (Phase 2):

crypto ipsec transform-set TS-AES256_SHA384 esp-aes 256 esp-sha384-hmac
 mode tunnel
crypto ipsec profile IPSEC-Profile
 set security-association lifetime kilobytes disable
 set transform-set TS-AES256_SHA384
 set pfs group20

Next to create the tunnel interface and apply the IPSEC encryption:

interface Tunnel1
 description IPSEC VPN
 ip address 192.168.1.1 255.255.255.254
 tunnel source OUTSIDE-INTERFACE
 tunnel mode ipsec ipv4
 tunnel destination REMOTE-ADDRESS
 tunnel protection ipsec profile IPSEC-Profile

DavisSystem

Consolidated Notes From the Desk of Sean Davis.

Configure IPSEC VPN on Cisco IOS

By Sean, 2022-02-21