{"id":1,"date":"2023-08-12T17:24:51","date_gmt":"2023-08-12T17:24:51","guid":{"rendered":"http:\/\/www.netasic.com\/?p=1"},"modified":"2026-05-18T15:29:24","modified_gmt":"2026-05-18T15:29:24","slug":"ipsec-vpn-deployment-using-crypto-maps","status":"publish","type":"post","link":"https:\/\/www.netasic.com\/index.php\/2023\/08\/12\/ipsec-vpn-deployment-using-crypto-maps\/","title":{"rendered":"IPSec VPN Deployment using Crypto Maps"},"content":{"rendered":"\r\n<ul>\r\n<li>\r\n<h2>The configuration of IPSec can be accomplished through the following six steps:<\/h2>\r\n<\/li>\r\n<\/ul>\r\n<ol>\r\n<li><strong>Configuration crypto isakmp policy<\/strong><\/li>\r\n<li><strong>Configuration password for peer<\/strong><\/li>\r\n<li><strong>Configuration transform-set<\/strong><\/li>\r\n<li><strong>Configuration crypto map<\/strong><\/li>\r\n<li><strong>Configuration interface<\/strong><\/li>\r\n<li><strong>Configuration ACL<\/strong><\/li>\r\n<\/ol>\r\n<ul>\r\n<li>\r\n<h2>Below I will provide an example configuration for each step:<\/h2>\r\n<\/li>\r\n<\/ul>\r\n<h4><strong>Configuration crypto isakmp policy<\/strong><\/h4>\r\n<pre><span style=\"color: #000080;\">crypto isakmp policy 10<\/span><br \/><span style=\"color: #000080;\">encr aes<\/span><br \/><span style=\"color: #000080;\">hash sha256<\/span><br \/><span style=\"color: #000080;\">authentication pre-share<\/span><br \/><span style=\"color: #000080;\">group 24<\/span><\/pre>\r\n<h4><strong>Configuration password for peer<\/strong><\/h4>\r\n<pre><span style=\"color: #000080;\">crypto isakmp key p@ssw0rd address 200.0.0.2<\/span><\/pre>\r\n<h4><strong>Configuration transform-set<\/strong><\/h4>\r\n<pre><span style=\"color: #000080;\">crypto ipsec transform-set ESP_SHA512 esp-aes esp-sha512-hmac <\/span><br \/><span style=\"color: #000080;\">mode tunnel<\/span><\/pre>\r\n<h4><strong>Configuration crypto map<\/strong><\/h4>\r\n<pre><span style=\"color: #000080;\">crypto map crypto_map 10 ipsec-isakmp <\/span><br \/><span style=\"color: #000080;\">set peer 200.0.0.2<\/span><br \/><span style=\"color: #000080;\">set transform-set ESP_SHA512 <\/span><br \/><span style=\"color: #000080;\">match address VPN<\/span><\/pre>\r\n<h4><strong>Configuration interface<\/strong><\/h4>\r\n<pre><span style=\"color: #000080;\">interface FastEthernet0\/0<\/span><br \/><span style=\"color: #000080;\">crypto map crypto_map<\/span><\/pre>\r\n<h4><strong>Configuration ACL<\/strong><\/h4>\r\n<pre><span style=\"color: #000080;\">ip access-list extended VPN<\/span><br \/><span style=\"color: #000080;\">10 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255<\/span><\/pre>\r\n<ul>\r\n<li>\r\n<h2>Below is the topology where I have configured the router R1.<\/h2>\r\n<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-58\" src=\"http:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS_03.png\" alt=\"\" width=\"894\" height=\"637\" srcset=\"https:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS_03.png 894w, https:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS_03-300x214.png 300w, https:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS_03-768x547.png 768w\" sizes=\"(max-width: 894px) 100vw, 894px\" \/><\/p>\r\n<p>&nbsp;<\/p>\r\n<p>The tunnel based on crypto map has been configured between router R1 and router R2. ACLs on routers R1 and R2 capture traffic from subnets 192.168.0.0\/24 and 172.16.0.0.\u00a0<\/p>\r\n<pre><span style=\"color: #000080;\"><strong>R1#show ip access-lists VPN<\/strong><\/span><br \/><span style=\"color: #000080;\">Extended IP access list VPN<\/span><br \/><span style=\"color: #000080;\">10 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255<\/span><\/pre>\r\n<pre><span style=\"color: #000080;\"><strong>R2#show ip access-lists VPN<\/strong><\/span><br \/><span style=\"color: #000080;\">Extended IP access list VPN<\/span><br \/><span style=\"color: #000080;\">10 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255<\/span><\/pre>\r\n<ul>\r\n<li>\r\n<h2>We can check the configuration by typing:<\/h2>\r\n<\/li>\r\n<\/ul>\r\n<pre><span style=\"color: #000080;\">#<strong>show running-config | section crypto<\/strong><\/span><br \/><span style=\"color: #000080;\">crypto isakmp policy 10<\/span><br \/><span style=\"color: #000080;\">encr aes<\/span><br \/><span style=\"color: #000080;\">hash sha256<\/span><br \/><span style=\"color: #000080;\">authentication pre-share<\/span><br \/><span style=\"color: #000080;\">group 24<\/span><br \/><span style=\"color: #000080;\">crypto isakmp key p@ssw0rd address 200.0.0.2 <\/span><br \/><span style=\"color: #000080;\">crypto ipsec transform-set ESP_SHA512 esp-aes esp-sha512-hmac <\/span><br \/><span style=\"color: #000080;\">mode tunnel<\/span><br \/><span style=\"color: #000080;\">crypto map crypto_map 10 ipsec-isakmp <\/span><br \/><span style=\"color: #000080;\">set peer 200.0.0.2<\/span><br \/><span style=\"color: #000080;\">set transform-set ESP_SHA512 <\/span><br \/><span style=\"color: #000080;\">match address VPN<\/span><\/pre>\r\n<ul>\r\n<li>\r\n<h2>Troubleshooting<\/h2>\r\n<\/li>\r\n<\/ul>\r\n<ol>\r\n<li>show crypto isakmp sa<\/li>\r\n<li>show crypto session<\/li>\r\n<li>show crypto ipsec sa<\/li>\r\n<li>show crypto map<\/li>\r\n<\/ol>\r\n<p>All of the commands below were executed on a properly working IPSec.<\/p>\r\n<pre><span style=\"color: #000080;\"><strong>R1#show crypto isakmp sa<\/strong><\/span><br \/><span style=\"color: #000080;\">IPv4 Crypto ISAKMP SA<\/span><br \/><span style=\"color: #000080;\">dst src state conn-id status<\/span><br \/><span style=\"color: #000080;\">200.0.0.2 100.0.0.2 QM_IDLE 1001 ACTIVE<\/span><\/pre>\r\n<pre><span style=\"color: #000080;\"><strong>R1#show crypto session<\/strong> <\/span><br \/><span style=\"color: #000080;\">Crypto session current status<\/span><br \/><br \/><span style=\"color: #000080;\">Interface: FastEthernet0\/0<\/span><br \/><span style=\"color: #000080;\">Session status: UP-ACTIVE <\/span><br \/><span style=\"color: #000080;\">Peer: 200.0.0.2 port 500 <\/span><br \/><span style=\"color: #000080;\">IKEv1 SA: local 100.0.0.2\/500 remote 200.0.0.2\/500 Active <\/span><br \/><span style=\"color: #000080;\">IPSEC FLOW: permit ip 192.168.0.0\/255.255.255.0 172.16.0.0\/255.255.255.0 <\/span><br \/><span style=\"color: #000080;\">Active SAs: 2, origin: crypto map<\/span><\/pre>\r\n<pre><span style=\"color: #000080;\"><strong>R1#show crypto ipsec sa<\/strong><\/span><br \/><br \/><span style=\"color: #000080;\">interface: FastEthernet0\/0<\/span><br \/><span style=\"color: #000080;\">Crypto map tag: crypto_map, local addr 100.0.0.2<\/span><br \/><br \/><span style=\"color: #000080;\">protected vrf: (none)<\/span><br \/><span style=\"color: #000080;\">local ident (addr\/mask\/prot\/port): (192.168.0.0\/255.255.255.0\/0\/0)<\/span><br \/><span style=\"color: #000080;\">remote ident (addr\/mask\/prot\/port): (172.16.0.0\/255.255.255.0\/0\/0)<\/span><br \/><span style=\"color: #000080;\">current_peer 200.0.0.2 port 500<\/span><br \/><span style=\"color: #000080;\">PERMIT, flags={origin_is_acl,}<\/span><br \/><span style=\"color: #000080;\">#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2<\/span><br \/><span style=\"color: #000080;\">#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2<\/span><br \/><span style=\"color: #000080;\">#pkts compressed: 0, #pkts decompressed: 0<\/span><br \/><span style=\"color: #000080;\">#pkts not compressed: 0, #pkts compr. failed: 0<\/span><br \/><span style=\"color: #000080;\">#pkts not decompressed: 0, #pkts decompress failed: 0<\/span><br \/><span style=\"color: #000080;\">#send errors 0, #recv errors 0<\/span><br \/><br \/><span style=\"color: #000080;\">local crypto endpt.: 100.0.0.2, remote crypto endpt.: 200.0.0.2<\/span><br \/><span style=\"color: #000080;\">path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0\/0<\/span><br \/><span style=\"color: #000080;\">current outbound spi: 0x3C20819A(1008763290)<\/span><br \/><span style=\"color: #000080;\">PFS (Y\/N): N, DH group: none<\/span><br \/><br \/><span style=\"color: #000080;\">inbound esp sas:<\/span><br \/><span style=\"color: #000080;\">spi: 0x9F65E9CE(2674256334)<\/span><br \/><span style=\"color: #000080;\">transform: esp-aes esp-sha512-hmac ,<\/span><br \/><span style=\"color: #000080;\">in use settings ={Tunnel, }<\/span><br \/><span style=\"color: #000080;\">conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: crypto_map<\/span><br \/><span style=\"color: #000080;\">sa timing: remaining key lifetime (k\/sec): (4297204\/2981)<\/span><br \/><span style=\"color: #000080;\">IV size: 16 bytes<\/span><br \/><span style=\"color: #000080;\">replay detection support: Y<\/span><br \/><span style=\"color: #000080;\">Status: ACTIVE(ACTIVE)<\/span><br \/><br \/><span style=\"color: #000080;\">inbound ah sas:<\/span><br \/><br \/><span style=\"color: #000080;\">inbound pcp sas:<\/span><br \/><br \/><span style=\"color: #000080;\">outbound esp sas:<\/span><br \/><span style=\"color: #000080;\">spi: 0x3C20819A(1008763290)<\/span><br \/><span style=\"color: #000080;\">transform: esp-aes esp-sha512-hmac ,<\/span><br \/><span style=\"color: #000080;\">in use settings ={Tunnel, }<\/span><br \/><span style=\"color: #000080;\">conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: crypto_map<\/span><br \/><span style=\"color: #000080;\">sa timing: remaining key lifetime (k\/sec): (4297204\/2981)<\/span><br \/><span style=\"color: #000080;\">IV size: 16 bytes<\/span><br \/><span style=\"color: #000080;\">replay detection support: Y<\/span><br \/><span style=\"color: #000080;\">Status: ACTIVE(ACTIVE)<\/span><br \/><br \/><span style=\"color: #000080;\">outbound ah sas:<\/span><br \/><br \/><span style=\"color: #000080;\">outbound pcp sas:<\/span><\/pre>\r\n<pre><span style=\"color: #000080;\"><strong>R1#show crypto map<\/strong><\/span><br \/><br \/><span style=\"color: #000080;\">Crypto Map IPv4 \"crypto_map\" 10 ipsec-isakmp<\/span><br \/><span style=\"color: #000080;\">Peer = 200.0.0.2<\/span><br \/><span style=\"color: #000080;\">Extended IP access list VPN<\/span><br \/><span style=\"color: #000080;\">  \u00a0 access-list VPN permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255<\/span><br \/><span style=\"color: #000080;\">Current peer: 200.0.0.2<\/span><br \/><span style=\"color: #000080;\">Security association lifetime: 4608000 kilobytes\/3600 seconds<\/span><br \/><span style=\"color: #000080;\">Responder-Only (Y\/N): N<\/span><br \/><span style=\"color: #000080;\">PFS (Y\/N): N<\/span><br \/><span style=\"color: #000080;\">Transform sets={ <\/span><br \/><span style=\"color: #000080;\">ESP_SHA512:\u00a0 { esp-aes esp-sha512-hmac\u00a0 } , <\/span><br \/><span style=\"color: #000080;\">}<\/span><br \/><span style=\"color: #000080;\">Interfaces using crypto map crypto_map:<\/span><br \/><span style=\"color: #000080;\">FastEthernet0\/0<\/span><br \/><br \/><\/pre>\r\n<p>&nbsp;<\/p>\r\n<p>At the end, we can check the communication between PC1 and PC2. Below is the output of the ping command and trace.<\/p>\r\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-73\" src=\"http:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS04.png\" alt=\"\" width=\"971\" height=\"657\" srcset=\"https:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS04.png 971w, https:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS04-300x203.png 300w, https:\/\/www.netasic.com\/wp-content\/uploads\/2023\/08\/IPSEC_GNS04-768x520.png 768w\" sizes=\"(max-width: 971px) 100vw, 971px\" \/><\/p>\r\n<p>&nbsp;<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>The configuration of IPSec can be accomplished through the following six steps: Configuration crypto isakmp policy Configuration password for peer Configuration transform-set Configuration crypto map Configuration interface Configuration ACL Below I will provide an example configuration for each step: Configuration &hellip; <a href=\"https:\/\/www.netasic.com\/index.php\/2023\/08\/12\/ipsec-vpn-deployment-using-crypto-maps\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts\/1","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/comments?post=1"}],"version-history":[{"count":53,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts\/1\/revisions"}],"predecessor-version":[{"id":345,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/posts\/1\/revisions\/345"}],"wp:attachment":[{"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/media?parent=1"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/categories?post=1"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.netasic.com\/index.php\/wp-json\/wp\/v2\/tags?post=1"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}