How to Configure IPsec to Cisco IOS Using Pre-shared Key Authentication


#1

This guide covers configuration of IPsec between Peplink and Cisco IOS devices using pre-shared key authentication. The example configuration assumes the following settings:

IPsec VPN Settings

Peplink WAN1 IP Address: 210.211.10.5
Peplink WAN2 IP Address: 88.20.8.20
Peplink LAN Network: 192.168.2.0/24
Cisco WAN IP Address: 66.80.3.1
Cisco LAN Network: 192.168.1.0/24
Pre Shared Key: abc8009008
IPsec Phase 1 Authentication: SHA-1
ISPEC Phase 1 Encryption: AES-128
ISPEC Phase 1 DH Group: 2
IPsec Phase 2 Authentication: SHA-1
ISPEC Phase 2 Encryption: AES-128
ISPEC Phase 2 PFS Group: 2

Configuring Cisco IOS

The following example configuration is based on Cisco IOS 12.4 and implements the example settings above:

!— Configure an ISAKMP policy
!— Phase 1 Negotiations

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2

!— Specify the preshared key “abc8009008” for Peplink’s WAN1 and WAN2

crypto isakmp key abc8009008 address 210.211.10.5
crypto isakmp key abc8009008 address 88.20.8.20

!— Configure IPsec policies and specify the transform sets
!— Phase 2 negotiations

crypto IPsec transform-set aes256 set esp-aes 256 esp-sha-hmac

!— Create crypto map for IKE establishment
!— Set peers to remote Peplink WAN IPs
!— Specify IPsec to use the transform-set “aes256” configured above
!— Match address specifies the traffic to be encrypted
crypto map cisco 10 IPsec-isakmp
set peer 210.211.10.5
set peer 88.20.8.20
set transform-set aes256
match address 100

!— External WAN Interface
interface FastEthernet0/0
ip address 66.80.3.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!— Internal LAN Interface
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto

ip route 0.0.0.0 0.0.0.0 66.80.3.254

!— Define access list for IPsec traffic from subnet 192.168.1.0/24 to 192.168.2.0/24
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Peplink Configuration


Dynamic VPN between ASA and MAX BR1
Add IKEv2 to IPSEC VPN
Configure VPN with PIA on Surf SOHO