The following configures IPsec with AES encryption and SHA hashing on a standard Tunnel.
crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key [ISAKMP-KEY] address [REMOTE-IP] no-xauth crypto isakmp keepalive 10 crypto ipsec transform-set ESP-AES-SHA-COMP esp-aes esp-sha-hmac comp-lzs crypto ipsec profile [PROFILE-NAME] set security-association lifetime seconds 28800 set transform-set ESP-AES-SHA-COMP interface Tunnel0 ip address 10.255.255.1 255.255.255.252 ip virtual-reassembly in ip tcp adjust-mss 1400 tunnel source [WAN-INTERFACE] tunnel mode ipsec ipv4 tunnel destination [REMOTE-IP] tunnel protection ipsec profile [PROFILE-NAME]
Routes are configured as per the normal
ip route command. This configuration
has the advantage of not using ACLs to determine routed subnets (‘interesting
traffic’) as is the case with GETVPN/crypto map style VPNs, resulting in
easier troubleshooting and accurate/complete information when using