IPSEC – Site to site VPN

crypto isakmp policy <N> * N = priority, lower preferred

authentication pre-share
encryption <3DES/AES/DES> * AES preferred
group <1/2/5> * Diffie Hellman group
hash <MD5/SHA>
lifetime <T> * in Seconds

crypto isakmp key <0/6> <KEY> address 1.1.1.1

crypto ipsec transform-set <TRANS NAME> esp-aes esp-sha-hmac

mode <TUNNEL/TRANSPORT>

crypto ipsec security-association lifetime <T>

access-list 123 permit ip <SOURCE NET> <SOURCE WILDCARD> <DEST NET> <DEST WILDCARD>

crypto map <MAP NAME> <SEQ> ipsec-isakmp

match address 123
set peer <REMOTE ADDR>
set transform-set <TRANS NAME>

int dial0 <OUTSIDE IF>

crypto-map <MAP NAME>

Notes :

QM_IDLE = Good!

MM_NO_STATE = Phase 1 (*IKE problem) – Check public incoming ACL’s

MM_KEY_EXCH = Bad peer address or key problem

On public facing inbound ACL’s allow :

ESP – Protocol 50

AH – Protocol 51

IKE – UDP port 500

Tacacs+

Enable aaa (beware disables current auth methods) :

aaa new-model

Define tacacs+ server :

tacacs-server host 1.2.3.4
tacacs-server key 0null0

Define aaa authentication method for ‘VTY’ group :

aaa authentication login VTY group tacacs+

Apply to telnet lines :

line vty 0 5
login authentication VTY