Knowledge without practice will be forgotten. So here’s my exercise for site to site vpn using two 1841 routers.
1841-1
ip access-list extended vpn-list
permit ip any any
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.2 255.255.255.252
crypto map mymap 1 ipsec-isakmp
set peer 192.168.1.2
set transform-set myset
match address vpn-list
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
crypto map mymap
end
1841-2
access-list 100 permit ip any any
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.1.1 255.255.255.252
crypto map mymap 1 ipsec-isakmp
set peer 192.168.1.1
set transform-set myset
match address 100
interface FastEthernet0/1
ip address 192.168.1.2 255.255.255.252
duplex auto
speed auto
crypto map mymap
end
Verification
Send a ping from 1841-1 to 1841-2, or vice versa. A vpn tunnel will be established.
1841-2#sh crypto session
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 192.168.1.1 port 500
IKE SA: local 192.168.1.2/500 remote 192.168.1.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
There should be two security associations, one is isakmp the other is ipsec.
1841-2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.1 192.168.1.2 QM_IDLE 1002 ACTIVE
cyruslab 