Cisco IPsec Protected Tunnel

The following configures IPsec with AES encryption and SHA hashing on a standard Tunnel.

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

crypto isakmp key [ISAKMP-KEY] address [REMOTE-IP] no-xauth
crypto isakmp keepalive 10

crypto ipsec transform-set ESP-AES-SHA-COMP esp-aes esp-sha-hmac comp-lzs 

crypto ipsec profile [PROFILE-NAME]
 set security-association lifetime seconds 28800
 set transform-set ESP-AES-SHA-COMP 

interface Tunnel0
 ip address 10.255.255.1 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1400
 tunnel source [WAN-INTERFACE]
 tunnel mode ipsec ipv4
 tunnel destination [REMOTE-IP]
 tunnel protection ipsec profile [PROFILE-NAME]

Routes are configured as per the normal ip route command. This configuration has the advantage of not using ACLs to determine routed subnets (‘interesting traffic’) as is the case with GETVPN/crypto map style VPNs, resulting in easier troubleshooting and accurate/complete information when using show ip route.