Cisco IPsec Tunnel Mode Configuration

Lesson Contents

In this lesson, I will show you how to configure two Cisco IOS routers to use IPSec in Tunnel mode. This means that the original IP packet will be encapsulated in a new IP packet and encrypted before it is sent out of the network. For this demonstration, I will be using the following three routers:

R1 R2 R3 Ipsec Tunnel Mode

R1 and R3 each have a loopback interface behind them with a subnet. We’ll configure the IPsec tunnel between these two routers so that traffic from to is encrypted. R2 is just a router in the middle, so that R1 and R3 are not directly connected. Let’s start with the configuration on R1!


First, we will configure the phase 1 policy for ISAKMP, where we configure the encryption (AES) and use a pre-shared key for authentication. We use DH group 2:

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2

For each peer, we need to configure the pre-shared key. I’ll pick something simple like “MYPASSWORD” :

R1(config)#crypto isakmp key 0 MYPASSWORD address

Now we’ll configure phase 2 with the transform-set:

R1(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmac

And put everything together with a crypto map. Our peer is, the transform-set is called MYTRANSFORMSET, and everything that matches access-list 100 should be encrypted by IPSEC:

R1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp 
R1(config-crypto-map)#set peer
R1(config-crypto-map)#set transform-set MYTRANSFORMSET
R1(config-crypto-map)#match address 100

The access-list matches all traffic between and

R1(config)#access-list 100 permit ip host host

We need to make sure our router knows how to reach and also tell it that it can reach through

R1(config)#ip route
R1(config)#ip route

Last but not least, we’ll activate the crypto map on the interface:

R1(config)#interface gi0/1
R1(config-if)#crypto map CRYPTOMAP

That’s all we have to do on R1. Now we’ll create a similar configuration on R3:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 791 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

1642 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. what is the configuration of R2?

  2. Nothing has been configured on R2, just the IP addresses on its FastEthernet interfaces.

  3. Rene …Not working for me. and are not reachable. i checked all configuration , almost same as above. But not working

    R3#sh crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: CRYPTOMAP, local addr
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (
       remote ident (addr/mask/prot/port): (
       current_peer port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts
    ... Continue reading in our forum

  4. Hi Amit,

    This show command only tells you that no packets are encrypted or decrypted. You need to check the following in order:

    Is routing configured correctly?
    Are your ACLs for the VPN configured correctly?
    Are the crypto maps configured correctly?
    Do you have a security association?

    If those are all OK…do a debug for the security association to see what is wrong.

  5. Hi

    Don’t you need the tunnel ip address, so you can use that as next hop.

    R1(config)#ex. ip route

    best regards mpo

42 more replies! Ask a question or join the discussion by visiting our Community Forum