To help you better understand the setup of an L2L connection, I will show you an example. This example uses the network in Figure 19-2 for this L2L connection. In this example, two sites need to connect across the Internet using an IPSec L2L connection between two perimeter routers.
For this example, the IPSec policies are as follows:
Peers? 192.1.1.1 and 200.1.1.1
ISAKMP/IKE policy? 3DES for encryption, SHA for packet authentication, DH group 2 keys, lifetime of 1 hour
Protected traffic? Anything between 192.168.1.0/24 and 192.168.2.0/24
Connection method? Tunnel
Data transforms? ESP 3DES encryption and ESP SHA packet authentication
Example 19-15 shows RouterA's configuration.
RouterA(config)# access-list 100 permit udp host 200.1.1.1 (1) host 192.1.1.1 eq isakmp RouterA(config)# access-list 100 permit esp host 200.1.1.1 host 192.1.1.1 RouterA(config)# remark <--include other ACL statements for ACL 100--> RouterA(config)# crypto isakmp policy 10 (2) RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption 3des RouterA(config-isakmp)# group 2 RouterA(config-isakmp)# lifetime 3600 RouterA(config-isakmp)# exit RouterA(config)# crypto isakmp key 123RouterL2L address 200.1.1.1 (3) RouterA(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 (4) 192.168.2.0 0.0.0.255 RouterA(config)# crypto ipsec transform-set RouterBtransform (5) esp-sha-hmac esp-3des RouterA(config)# crypto map IPSECMAP 100 ipsec-isakmp (6) RouterA(config-crypto-map)# match address 101 RouterA(config-crypto-map)# set peer 200.1.1.1 RouterA(config-crypto-map)# set transform-set RouterBtransform RouterA(config-crypto-map)# exit RouterA(config)# access-list 102 deny ip 192.168.1.0 0.0.0.255 (7) 192.168.2.0 0.0.0.255 RouterA(config)# access-list 102 permit ip 192.168.1.0 0.0.0.255 any RouterA(config)# ip nat inside source list 102 (8) interface Ethernet1 overload RouterA(config)# interface ethernet0 RouterA(config-if)# ip nat inside RouterA(config-if)# exit RouterA(config)# interface ethernet1 (9) RouterA(config-if)# ip nat outside RouterA(config-if)# ip access-group 100 in RouterA(config-if)# ip address 192.1.1.1 RouterA(config-if)# crypto map IPSECMAP
The following is a brief explanation of RouterA's configuration in Example 19-15, with reference to the numbering on the right side:
This ACL allows ISAKMP/IKE and ESP traffic between the two routers. You obviously need to add many more statements to this ACL, to allow other types of connections.
ISAKMP policy 10 defines the parameters used to secure the IKE Phase 1 management connection.
Because preshared keys are used for identity authentication, the crypto isakmp key command specifies the preshared key; this must match the key value on RouterB.
ACL 101 is the crypto ACL, specifying that traffic between 192.168.1.0/24 and 192.168.2.0/24 should be protected.
The IKE Phase 2 data connections should be protected with ESP with SHA packet authentication and 3DES encryption.
There is only one entry in the crypto map: 100. This entry specifies the traffic to be protected (ACL 101), the remote peer (200.1.1.1), and the transform set to protect the traffic (RouterBtransform).
ACL 102 is used to specify when address translation is to be performed. In this example, it is disabled between 192.168.1.0/24 and 192.168.2.0/24, but it is enabled when 192.168.1.0/24 tries to reach any other Internet destination.
PAT is used for address translation with ACL 102.
On the interface, the protection ACL is applied (100) and the crypto map is activated (IPSECMAP).
Example 19-16 shows RouterB's configuration.
RouterB(config)# access-list 100 permit udp host 200.1.1.1 host 192.1.1.1 eq isakmp RouterB(config)# access-list 100 permit esp host 200.1.1.1 host 192.1.1.1 RouterB(config)# remark <--include other ACL statements for ACL 100--> RouterB(config)# crypto isakmp policy 10 RouterB(config-isakmp)# authentication pre-share RouterB(config-isakmp)# encryption 3des RouterB(config-isakmp)# group 2 RouterB(config-isakmp)# lifetime 3600 RouterB(config-isakmp)# exit RouterA(config)# crypto isakmp key 123RouterL2L address 192.1.1.1 RouterB(config)# access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 RouterB(config)# crypto ipsec transform-set RouterAtransform esp-sha-hmac esp-3des RouterB(config)# crypto map IPSECMAP 100 ipsec-isakmp RouterB(config-crypto-map)# match address 101 RouterB(config-crypto-map)# set peer 192.1.1.1 RouterB(config-crypto-map)# set transform-set RouterAtransform RouterB(config-crypto-map)# exit RouterA(config)# access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 RouterA(config)# access-list 102 permit ip 192.168.2.0 0.0.0.255 any RouterA(config)# ip nat inside source list 102 interface Ethernet1 overload RouterA(config)# interface ethernet0 RouterA(config-if)# ip nat inside RouterA(config-if)# exit RouterB(config)# interface ethernet 1 RouterB(config-if)# ip nat outside RouterB(config-if)# ip access-group 100 in RouterB(config-if)# ip address 200.1.1.1 RouterB(config-if)# crypto map IPSECMAP
As you can see from RouterB's configuration, it is very similar to RouterA's.
NOTE
If you have static translations, you need to use route maps and possibly loopback interfaces to resolve address-translation issues with the VPN. An example of this can be found at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_ example09186a0080094634.shtml.