Cisco IPsec Tunnel Mode Configuration

In this lesson, I will show you how to configure two Cisco IOS routers to use IPSec in Tunnel mode. This means that the original IP packet will be encapsulated in a new IP packet and encrypted before it is sent out of the network. For this demonstration I will be using the following 3 routers:

R1 R2 R3 Ipsec Tunnel Mode

R1 and R3 each have a loopback interface behind them with a subnet. We’ll configure the IPsec tunnel between these two routers so that traffic from to is encrypted. R2 is just a router in the middle so that R1 and R3 are not directly connected. Let’s start with the configuration on R1!


First, we will configure the phase 1 policy for ISAKMP where we configure the encryption (AES) and use a pre-shared key for authentication. We use DH group 2:

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2

For each peer, we need to configure the pre-shared key. I’ll pick something simple like “MYPASSWORD” :

R1(config)#crypto isakmp key 0 MYPASSWORD address

Now we’ll configure phase 2 with the transform-set:

R1(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmac

And put everything together with a crypto map. Our peer is, the transform-set is called MYTRANSFORMSET and everything that matches access-list 100 should be encrypted by IPSEC:

R1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp 
R1(config-crypto-map)#set peer
R1(config-crypto-map)#set transform-set MYTRANSFORMSET
R1(config-crypto-map)#match address 100

The access-list matches all traffic between and

R1(config)#access-list 100 permit ip host host

We need to make sure our router knows how to reach and also tell it that it can reach through

R1(config)#ip route
R1(config)#ip route

Last but not least, we’ll activate the crypto map on the interface:

R1(config)#interface fa0/0
R1(config-if)#crypto map CRYPTOMAP

That’s all we have to do on R1. Now we’ll create a similar configuration on R3:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

525 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Geia sou Lazare ,

    your answered me very clear and you have simplified it for me . Are there any sources that you know that they can help me to learn more about IPsec . Not about configuraton because Rene explains about it very nice but for details about the protocols that we use . Like could we use HMAC with PKI player ( private- public key )instead for pre-share key authentication ? Now you understand how much confuse my mind all these concepts. :smile:

    Thanks a lot

  2. Hello Laz ,
    It is helpful
    Thanks again about the information you have gave me

  3. Hello Heng

    A hash function is a function or algorithm that can be used to map data of any size to a set of data of fixed size. So you can for example take various names of various lengths, process them through a hash function and come up with a set of data of fixed size, two digits for example, as shown in the following diagram:


    The input of a hash function is called a key and the output is called a hash.

    Hash functions can be useful in cryptography if the

    ... Continue reading in our forum

  4. I have followed the same steps to config the ipsec tunnel.
    But could not do it.I got the below debug log.But when I have tried to do this by only placing 2 router it worked.But when the third router is in the place I could not do it.

    *Oct  5 12:59:14.479: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *Oct  5 12:59:14.479: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
    *Oct  5 12:59:14.479: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Oct  5 12:59:14.483: ISAKMP:(0):
    *Oct  5 12
    ... Continue reading in our forum

32 more replies! Ask a question or join the discussion by visiting our Community Forum