##master-page:HomepageReadWritePageTemplate ##master-date:Unknown-Date #format wiki #language en = IPSEC = IPSEC encryption related links. [[gre]] * http://www.ccierants.com/2009/09/ipsec-with-vti-best-damn-way-to-do-it.html * http://unixwiz.net/techtips/iguide-ipsec.html * Step by step gre to [[http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html|ipsec]] tunnel * Compare GRE vs VTI ipsec [[http://henrydu.com/blog/networks/vpn/ipsec-over-gre-and-ipsec-vti-368.html]] == Sample Cisco Config == !!# Phase One - isakmp #!! {{{ crypto isakmp policy 10 hash sha authentication pre-share crypto isakmp key vpnkey address 10.0.0.2 }}} !!# Phase Two - ipsec #!! {{{ ! crypto ipsec security-association lifetime seconds 28800 crypto ipsec transform-set vpnset esp-aes esp-sha-hmac exit crypto map vpnset 10 ipsec-isakmp set peer 10.0.0.2 set transform-set vpnset ! set pfs group2 match address 100 }}} !!#Apply to outside int #!! {{{ int ?? !ip address 10.0.0.1 crypto map vpnset access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255 ip route 0.0.0.0 0.0.0.0 192.168.16.1 }}} == Verify IPSec VPN connections == * The following two commands can be used to verify VPN connections: {{{ show crypto ipsec sa show crypto isakmp sa debug crypto isakmp debug crypto ipsec }}} == Example VTI == * Tunnel interface protected by ipsec - new since 2010. * See. No crypto map * Link Linux strongswan VTI [[http://end.re/2015/01/06/vti-tunnel-interface-with-strongswan/]] {{{ ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key ******** address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! crypto ipsec transform-set TSET esp-3des esp-sha-hmac ! crypto ipsec profile VTI set transform-set TSET ! interface Tunnel0 ip address 192.168.10.2 255.255.255.0 tunnel source 10.0.149.220 tunnel destination 10.0.149.221 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI ! }}} ... ---- CategorySecurity CategoryNetwork