This guide covers configuration of IPsec between Peplink and Cisco IOS devices using pre-shared key authentication. The example configuration assumes the following settings:
IPsec VPN Settings
Peplink WAN1 IP Address: 210.211.10.5
Peplink WAN2 IP Address: 88.20.8.20
Peplink LAN Network: 192.168.2.0/24
Cisco WAN IP Address: 66.80.3.1
Cisco LAN Network: 192.168.1.0/24
Pre Shared Key: abc8009008
IPsec Phase 1 Authentication: SHA-1
ISPEC Phase 1 Encryption: AES-128
ISPEC Phase 1 DH Group: 2
IPsec Phase 2 Authentication: SHA-1
ISPEC Phase 2 Encryption: AES-128
ISPEC Phase 2 PFS Group: 2
Configuring Cisco IOS
The following example configuration is based on Cisco IOS 12.4 and implements the example settings above:
!β Configure an ISAKMP policy
!β Phase 1 Negotiations
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!β Specify the preshared key βabc8009008β for Peplinkβs WAN1 and WAN2
crypto isakmp key abc8009008 address 210.211.10.5
crypto isakmp key abc8009008 address 88.20.8.20
!β Configure IPsec policies and specify the transform sets
!β Phase 2 negotiations
crypto IPsec transform-set aes256 set esp-aes 256 esp-sha-hmac
!β Create crypto map for IKE establishment
!β Set peers to remote Peplink WAN IPs
!β Specify IPsec to use the transform-set βaes256β configured above
!β Match address specifies the traffic to be encrypted
crypto map cisco 10 IPsec-isakmp
set peer 210.211.10.5
set peer 88.20.8.20
set transform-set aes256
match address 100
!β External WAN Interface
interface FastEthernet0/0
ip address 66.80.3.1 255.255.255.0
duplex auto
speed auto
crypto map cisco
!β Internal LAN Interface
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 66.80.3.254
!β Define access list for IPsec traffic from subnet 192.168.1.0/24 to 192.168.2.0/24
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
