Standard [3DES], Advanced Encryption Standard [AES], or Software Encryption Algorithm [SEAL]), Hashed Message Authentication Code (HMAC) (Secure Hash Algorithm 1 [SHA-1] or Message Digest 5 [MD5]), IKE authentication method (pre-shared secret keys or digital certificates), DH group (1, 2, or 5), and IKE lifetime
  • IPsec transform sets: Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), mode of operation (tunnel or transport), and compression
  • Traffic to protect: Defining single source and destination subnets or an ACL for more complex VPNs
    • Content 3.4 Configuring IPsec Site-to-Site VPN Using SDM 3.4.5 Using the Step-by-Step Wizard Configuring Connection Settings
    Figure shows the first task in the step-by-step setup, configuring connection settings: Step 1 Choose the outside interface that will be used for traffic going to the IPsec peer over the untrusted network. Step 2 Specify the IP address of the peer. This is the reachable next-hop address and not the address of the internal LAN interface. Step 3 Choose the authentication method (either Pre-shared keys or Digital Certificates) and specify the credentials. Use long and random pre-shared keys to prevent brute-force and dictionary attacks against IKE. Step 4 Click the Next button to proceed to the next task. Configuring IKE Proposals
    The second task in the step-by-step setup is to configure IKE proposals using the screen shown in Figure : Step 1 SDM predefines a default IKE proposal. You can use this IKE proposal (and skip Step 2) or add new proposals. Step 2 If you want to use a custom IKE proposal, create one by clicking the Add button and specifying the required parameters: Step 3 When you finish adding IKE policies, click the Next button to proceed to the next task. Configuring the Transform Set
    The third task in the step-by-step setup is configuring a transform set using the screen shown in Figure : Step 1 There is a default IPsec transform set that is predefined by SDM. You can use this transform set (and skip Step 2) or add new transform sets. Step 2 If you want to use a custom IPsec transform set, create one by clicking the Add button and specifying these parameters: Step 3 When finished, click the Next button to proceed to the next task. Identifying the Traffic to Protect
    There are two options available to define the traffic that you want to protect. You can use the simple mode, allowing protection of traffic between one pair of IP subnets, or you can use an ACL. Option 1: Simple Mode (Single Source and Destination Subnet)
    To protect traffic between a particular pair of IP subnets, follow these steps as shown in Figure : Step 1 Click the Protect all traffic between the following subnets radio button. Step 2 Under Local Network, enter the IP address and subnet mask of the local network where IPsec traffic originates. Step 3 Under Remote Network, enter the IP address and subnet mask of the remote network where IPsec traffic is sent. Option 2: Using an ACL
    Alternatively, you can use an ACL to define a more complex set of proxy identities to protect traffic, as shown in Figure . To specify an IPsec rule that defines the traffic types to protect, follow these steps: Step 1 Click the Create/Select an access-list for IPSec traffic radio button. Step 2 Click the ... button on the right side of the ACL field to choose an existing ACL or create a new one. Step 3 If the ACL that you want to use already exists, choose Select an existing rule (ACL) option. If you want to create a new ACL, choose the Create a new rule (ACL) and select option. When creating a new ACL to define traffic that needs protection, use the Add a Rule window shown in Figure and follow these steps: Step 1 Give the access rule a name and description in the appropriate fields. Step 2 Click the Add button to start adding rule entries. The Add an Extended Rule Entry window appears. Figure shows the screen you will use to configure a new rule entry: Step 1 Under Action, select an action from the drop-down menu and write a description of the rule entry in the Description field. Step 2 Each rule entry defines one pair of source and destination addresses or networks. Enter the type, IP address, and wildcard mask for each network under the Source Host/Network and Destination Host/Network sections. Note
    You must use wildcard bits instead of subnet masks. Step 3 Optionally, you can provide protection for individual Open Systems Interconnection (OSI) Layer 4 protocols by selecting the required protocol radio button (TCP or UDP) and the required port numbers under Protocol and Service. If the rule applies to all IP traffic, leave the default radio button setting (IP). Again, a summary of the configuration is displayed – . If necessary, click the Back button to go back and modify or correct the configuration. Click the Finish button to complete the configuration.
    Content 3.4 Configuring IPsec Site-to-Site VPN Using SDM 3.4.6 Test, Monitor, and Troubleshoot Tunnel Configuration and Operation After the site-to-site tunnel has been created, you can immediately see the tunnel’s status by clicking the Edit Site to Site VPN tab on the Configure page of the Site to Site VPN wizard. The screen shown in Figure appears. You can click the Test Tunnel button to run a test to determine whether the tunnel configuration is correct. Clicking the Generate Mirror button generates a mirroring configuration that you can use to configure the router on the other end of the tunnel. This is useful if the router on the other end of the tunnel does not have Cisco SDM and you have to use the CLI to configure the tunnel. Monitor Tunnel Operation
    The monitoring page, shown in Figure , displays the status of the tunnel. To see all IPsec tunnels, their parameters, and status, follow this procedure: Step 1 Click the Monitor icon in the top navigation bar. Step 2 Click the VPN Status icon in the left vertical navigation bar. Step 3 Click the IPSec Tunnels tab. Test and Monitor Tunnel Configuration and Operation
    Use the show commands to determine the status of IPsec VPN connections. Figure shows the sample output from the show crypto isakmp sa command after IKE negotiations have been successfully completed between two peers: Figure shows the sample output for the show crypto ipsec sa command: Troubleshooting
    Use a terminal to connect to the Cisco IOS router if you want to use debugging commands to troubleshoot VPN connectivity. The debug crypto isakmp EXEC command displays detailed information about the IKE Phase 1 and Phase 2 negotiation processes.
    Content 3.5 Configuring GRE Tunnels over IPsec 3.5.1 Generic Routing Encapsulation Generic routing encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment. Routing protocols that are used across the tunnel