Tuesday, December 27, 2011

Cisco Router VPN: Configure an 1841 IOS Router for Site to Site VPN.

On occasion, I have to setup a site to site vpn on an IOS router.  It seems a little odd, but the IOS router will do this just fine, just like an ASA.  Commands are different, but not difficult at all.  Below, I outline what you need to do to configure an IOS router (1841 in this case) to get the vpn up and running.  Nothing special in this, just the basics of getting the vpn up and running.

You wont be able to use a base image.  Below, I have an advance security image.
boot system flash:c1841-advsecurityk9-mz.124-3h.bin

Set your domain name on your router.
ip domain name company.com

Here is your Phase I info.
-------- Beginning of Phase I ----------
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key key! address no-xauth    <------ No Authentication needed
crypto isakmp keepalive 20 3 periodic

Here is your Phase II info.
------- Phase II -----------------
crypto ipsec transform-set to_remotesite esp-3des esp-md5-hmac

Here is your crypto map for the vpn.
--------- Crypto Map for VPN ----------------
crypto map to_remotesite 5 ipsec-isakmp  
 set peer                <------- Peer address
 set transform-set to_remotesite  <------ Use this Phase II policy (above)
 match address 121                 <------ Match this ACL for encryption

Apply the crypto map to your serial interface.
interface Serial0/0/0
 ip address
 ip nat outside
 crypto map to_remotesite       <------- Apply this CryptoMap to Int S0/0/0

Here is your encryption ACL.  This says "encrypt across the vpn".
----------- Encryption ACL ---------------------------------
access-list 121 permit ip

If you have to "NOT NAT", then you have to tell the router.  Below is the config to NAT to any, but NOT NAT to  Notice the Deny statement for NOT NAT'ing.
------------------------- No Nat ACL, NAT statement, and Route-map for NO-NAT'ing ----------------------
access-list 104 deny   ip
access-list 104 permit ip any
ip nat inside source route-map nonat interface Serial0/0/0 overload
route-map nonat permit 10
 match ip address 104

Thats all there is to it.  I hope this helps.