Get Full Access to our 717 Cisco Lessons Now Start $1 Trial
You are here: Home » Security

Cisco IPsec Tunnel Mode Configuration

In this lesson, I will show you how to configure two Cisco IOS routers to use IPSec in Tunnel mode. This means that the original IP packet will be encapsulated in a new IP packet and encrypted before it is sent out of the network. For this demonstration I will be using the following 3 routers:

R1 R2 R3 Ipsec Tunnel Mode

R1 and R3 each have a loopback interface behind them with a subnet. We’ll configure the IPsec tunnel between these two routers so that traffic from 1.1.1.1/32 to 3.3.3.3/32 is encrypted. R2 is just a router in the middle so that R1 and R3 are not directly connected. Let’s start with the configuration on R1!

Configuration

First, we will configure the phase 1 policy for ISAKMP where we configure the encryption (AES) and use a pre-shared key for authentication. We use DH group 2:

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2

For each peer, we need to configure the pre-shared key. I’ll pick something simple like “MYPASSWORD” :

R1(config)#crypto isakmp key 0 MYPASSWORD address 192.168.23.3

Now we’ll configure phase 2 with the transform-set:

R1(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes esp-sha-hmac

And put everything together with a crypto map. Our peer is 192.168.23.3, the transform-set is called MYTRANSFORMSET and everything that matches access-list 100 should be encrypted by IPSEC:

R1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp 
R1(config-crypto-map)#set peer 192.168.23.3
R1(config-crypto-map)#set transform-set MYTRANSFORMSET
R1(config-crypto-map)#match address 100

The access-list matches all traffic between 1.1.1.1 and 3.3.3.3:

R1(config)#access-list 100 permit ip host 1.1.1.1 host 3.3.3.3

We need to make sure our router knows how to reach 192.168.23.3 and also tell it that it can reach 3.3.3.3 through 192.168.23.3:

R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.3 255.255.255.255 192.168.23.3

Last but not least, we’ll activate the crypto map on the interface:

R1(config)#interface fa0/0
R1(config-if)#crypto map CRYPTOMAP

That’s all we have to do on R1. Now we’ll create a similar configuration on R3:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 717 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
Give Membership a try - it's just $1 ►

496 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  1. Geia sou Lazare ,

    your answered me very clear and you have simplified it for me . Are there any sources that you know that they can help me to learn more about IPsec . Not about configuraton because Rene explains about it very nice but for details about the protocols that we use . Like could we use HMAC with PKI player ( private- public key )instead for pre-share key authentication ? Now you understand how much confuse my mind all these concepts. :smile:

    Thanks a lot

  2. Hello Laz ,
    It is helpful
    Thanks again about the information you have gave me

  4. I have followed the same steps to config the ipsec tunnel.
    But could not do it.I got the below debug log.But when I have tried to do this by only placing 2 router it worked.But when the third router is in the place I could not do it.

    *Oct  5 12:59:14.479: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct  5 12:59:14.479: ISAKMP:(0): sending packet to 192.168.12.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct  5 12:59:14.479: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct  5 12:59:14.483: ISAKMP:(0):
R2#Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct  5 12
    ... Continue reading in our forum

32 more replies! Ask a question or join the discussion by visiting our Community Forum

We use cookies to give you the best personal experience on our website. By using our website, you agree to our use of cookies Read more.