!--- Enables the IKE policy configuration (config-isakmp) !--- command mode, where you can specify the parameters that !--- are used during an IKE negotiation.
!--- Enables the crypto transform configuration mode, !--- where you can specify the transform sets that are used !--- during an IPSec negotiation.
! crypto map mymap 10 ipsec-isakmp
!--- Indicates that IKE is used to establish !--- the IPSec security association for protecting the !--- traffic specified by this crypto map entry.
set peer 200.1.2.1
!--- Sets the IP address of the remote end.
set transform-set myset
!--- Configures IPSec to use the transform-set !--- "myset" defined earlier in this configuration.
match address 110
!--- Specifyies the traffic to be encrypted.
crypto map mymap 20 ipsec-isakmp set peer 200.1.3.1 set transform-set myset match address 120 ! ! ! ! interface Loopback0 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet0 ip address 200.1.1.1 255.255.255.0 no ip route-cache
!--- You must enable process switching for IPSec !--- to encrypt outgoing packets. This command disables fast switching.
no ip mroute-cache crypto map mymap
!--- Configures the interface to use the !--- crypto map "mymap" for IPSec.
!
!--- Output suppressed.
ip classless ip route 172.16.1.0 255.255.255.0 Ethernet0 ip route 192.168.1.0 255.255.255.0 Ethernet0 ip route 200.1.0.0 255.255.0.0 Ethernet0 ip http server
! access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 120 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
!--- This crypto ACL-permit identifies the !--- matching traffic flows to be protected via encryption.
Spoke 1 Router
2509 a#show running-config Building configuration... Current configuration : 1203 bytes ! version 12.2
service timestamps debug datetime msec service timestamps log uptime no service password-encryption ! hostname 2509a ! enable secret 5 $1$DOX3$rIrxEnTVTw/7LNbxi.akz0
! ip subnet-zero no ip domain-lookup !
! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.1.1 ! ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 200.1.1.1 set transform-set myset match address 110 ! ! ! ! interface Loopback0 ip address 172.16.1.1 255.255.255.0 ! interface Ethernet0 ip address 200.1.2.1 255.255.255.0 no ip route-cache no ip mroute-cache crypto map mymap !
. .
!--- Output suppressed.
. . ip classless ip route 10.1.1.0 255.255.255.0 Ethernet0 ip route 192.168.1.0 255.255.255.0 Ethernet0 ip route 200.1.0.0 255.255.0.0 Ethernet0 no ip http server
! access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 110 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 !
end 2509a#
Spoke 2 Router
VPN2509#show running-config Building configuration... Current configuration : 1117 bytes ! version 12.2
service timestamps debug datetime msec service timestamps log uptime service password-encryption ! hostname VPN2509 !
. . ip classless ip route 10.1.1.0 255.255.255.0 Ethernet0 ip route 172.16.0.0 255.255.0.0 Ethernet0 ip route 200.1.0.0 255.255.0.0 Ethernet0 no ip http server
! access-list 120 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 !
