##master-page:HomepageReadWritePageTemplate
##master-date:Unknown-Date
#format wiki
#language en
= IPSEC =
IPSEC encryption related links. [[gre]]
* http://www.ccierants.com/2009/09/ipsec-with-vti-best-damn-way-to-do-it.html
* http://unixwiz.net/techtips/iguide-ipsec.html
* Step by step gre to [[http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html|ipsec]] tunnel
* Compare GRE vs VTI ipsec [[http://henrydu.com/blog/networks/vpn/ipsec-over-gre-and-ipsec-vti-368.html]]
== Sample Cisco Config ==
!!# Phase One - isakmp #!!
{{{
crypto isakmp policy 10
hash sha
authentication pre-share
crypto isakmp key vpnkey address 10.0.0.2
}}}
!!# Phase Two - ipsec #!!
{{{
! crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
exit
crypto map vpnset 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set vpnset
! set pfs group2
match address 100
}}}
!!#Apply to outside int #!!
{{{
int ??
!ip address 10.0.0.1
crypto map vpnset
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.16.1
}}}
== Verify IPSec VPN connections ==
* The following two commands can be used to verify VPN connections:
{{{
show crypto ipsec sa
show crypto isakmp sa
debug crypto isakmp
debug crypto ipsec
}}}
== Example VTI ==
* Tunnel interface protected by ipsec - new since 2010.
* See. No crypto map
* Link Linux strongswan VTI [[http://end.re/2015/01/06/vti-tunnel-interface-with-strongswan/]]
{{{
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source 10.0.149.220
tunnel destination 10.0.149.221
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
}}}
...
----
CategorySecurity CategoryNetwork