On occasion, I have to setup a site to site vpn on an IOS router. It seems a little odd, but the IOS router will do this just fine, just like an ASA. Commands are different, but not difficult at all. Below, I outline what you need to do to configure an IOS router (1841 in this case) to get the vpn up and running. Nothing special in this, just the basics of getting the vpn up and running.
You wont be able to use a base image. Below, I have an advance security image.
boot system flash:c1841-advsecurityk9-mz.124-3h.bin
Set your domain name on your router.
ip domain name company.com
Here is your Phase I info.
-------- Beginning of Phase I ----------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key key! address 98.98.98.98 no-xauth <------ No Authentication needed
crypto isakmp keepalive 20 3 periodic
Here is your Phase II info.
------- Phase II -----------------
crypto ipsec transform-set to_remotesite esp-3des esp-md5-hmac
Here is your crypto map for the vpn.
--------- Crypto Map for VPN ----------------
crypto map to_remotesite 5 ipsec-isakmp
set peer 98.98.98.98 <------- Peer address
set transform-set to_remotesite <------ Use this Phase II policy (above)
match address 121 <------ Match this ACL for encryption
Apply the crypto map to your serial interface.
interface Serial0/0/0
ip address 12.94.221.218 255.255.255.252
ip nat outside
crypto map to_remotesite <------- Apply this CryptoMap to Int S0/0/0
Here is your encryption ACL. This says "encrypt across the vpn".
----------- Encryption ACL ---------------------------------
access-list 121 permit ip 192.168.101.0 0.0.0.255 192.168.75.0 0.0.0.255
If you have to "NOT NAT", then you have to tell the router. Below is the config to NAT 192.168.101.0 to any, but NOT NAT 192.168.101.0 to 192.168.75.0. Notice the Deny statement for NOT NAT'ing.
------------------------- No Nat ACL, NAT statement, and Route-map for NO-NAT'ing ----------------------
access-list 104 deny ip 192.168.101.0 0.0.0.255 192.168.75.0 0.0.0.255
access-list 104 permit ip 192.168.101.0 0.0.0.255 any
ip nat inside source route-map nonat interface Serial0/0/0 overload
route-map nonat permit 10
match ip address 104
Thats all there is to it. I hope this helps.
