■ Authentication: RSA-Sigs (which require PKI to be used)
■ DH group: 5 ■ Lifetime: 3600 seconds ■ Encryption: AES-256
crypto isakmp policy 2
authentication pre-shareencr aes 128
hash md5
group 2
lifetime 21600
exit
2. Crear la Isakmp KEY
crypto isakmp key cisco123 address 23.0.0.1
3. Crear el Transform-SET
crypto ipsec transform-set MY-SET esp-sha-hmac esp-aes 256
mode tunnel
exit
4. Acces-List
ip access-list extended SDM_1
permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255
exit
5. Cearl el Crypto MAP que llama los pasos 1, 2, 3 y 4
crypto map SDM_CMAP_1 1 ipsec-isakmp
match address SDM_1
set transform-set MY-SET
set peer 23.0.0.1
exit
6. Aplicar el crypto map a la interfaz
interface g1/0
crypto map SDM_CMAP_1
end
Comandos utiles para solucionar problemas de VPNs
show crypto isakmp policy
show crypto map
crypto isakmp sa detail
show crypto ipsec sa
show crypto engine connections active