Steps to configure an IPSEC site to site VPN on a Cisco IOS device (GNS3 Lab)

Just some short notes on basic IOS vpns using the topology below as an example. All the configuration examples are for the router Lefty. Grab the GNS3 .net file and initial configs [HERE] if you want to try.


VPN Topology

The following five steps need to configured in order to create an IPSEC VPN on a Cisco IOS device.

Step 1. ISAKMP policy – Configure what parameters will be used for the IKE phase 1 tunnel
Step 2. Transform Set – Configure what parameters will eb used for the IKE phase 2 tunnel (aka the IPSEC tunnel)
Step 3. ACL – Create an ACL to define what “interesting” traffic will be sent over the VPN
Step 4. Cypto Map – Configured using the previous parameters.
Step 5. Apply – Apply the cypto map to an interface


Step 1. – ISAKMP

Lefty#conf t
Lefty(config)#crypto isakmp enable
Lefty(config)#crypto isakmp policy 10
Lefty(config-isakmp)#authentication pre-share
Lefty(config-isakmp)#hash sha
Lefty(config-isakmp)#encryption aes 256
Lefty(config-isakmp)#group 5
Lefty(config-isakmp)#lifetime 3600
Lefty(config)#crypto isakmp key 0 SuperS3cure address
Lefty(config)#crypto isakmp keepalive 10 2 periodic

First of we enter config mode then enable isakmp, although by default it is enabled this probably wont be needed. The policy number is quite important. When the router tries to negotiate an acceptable phase one policy it always starts with the policy closest to 1 then work up in order until a negotiation is successful (using 10 leaves some room for growth if needed)

Now we configure the authentication method. Acceptable options are pre-shared key, RSA-Sig and RSA-Encr. For simplicity we’ll use PSK at the moment. I’ll do another post soon to explain the other options.

Next is the hash method to be used. Options are MD5 and SHA-1 (SHA-1 is the default)

Now we configure the encryption algorithm we want to use. In order of strength AES 256, AES 192, AES 128, 3DES, DES (DES as the default if nothing is explicitly configured)

Group <number> will configure the modulus size of the Diffie-Hellman key exchange. (Group 5 isnt supported on all versions of IOS!)

Group Description
1 The 768-bit Diffie-Hellman group.
2 The 1024-bit Diffie-Hellman group.
5 The 1536-bit Diffie-Hellman group.

(Group 1 is the default)

Lifetime is the time in seconds the Security Association (SA). 3600 = 1 hour (86400 (1 day) is the default)

Since we configured pre-shared key we need to configure the key on a per host basis in main config mode.

Just to emphasize  dead peer detection (DPD) we set it to send keepalives every 10s then every 2s if a keepalive fails. Sent on demand rather than periodically like we have configured is the default.

Verify configuration with “show crypto isakmp policy”

Step 2. – Transform Set

Lefty#conf t
Lefty(config)#crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac
Lefty(cfg-crypto-trans)#mode tunnel

We configure IPSEC tunnel mode using 256 bit AES ecryption and sha-1 hmac.
Various other options are

Lefty(config)#crypto ipsec transform-set MYTSETNAME ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth

Verify with “show crypto ipsec transform-set”

Step 3. – ACL

Lefty#conf t
Lefty(config)#access-list 101 permit ip

Stright forward extended ACL config to define the “interesting” traffic that will be secured via the VPN.

Step 4. – Crypto Map

Lefty#conf t
Lefty(config)#crypto map LEFTY_TO_RIGHTY 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Lefty(config-crypto-map)#set peer
Lefty(config-crypto-map)#match address 101
Lefty(config-crypto-map)#set transform-set MYTSETNAME

We configure the IP or hostname of the opposite end of the tunnel. Configure the “interesting” traffic with the match command then finally configure the transform set to be used.
Verify with “show crypto map”

Step 5. – Apply

Lefty#conf t
Lefty(config)#int fastEthernet 1/0
Lefty(config-if)#crypto map LEFTY_TO_RIGHTY
Lefty(config)#ip route

Apply the configured crypto map to the outgoing interface. We need the static route to point to the router at the other end of the VPN tunnel.


The easest way to test is by using and extended ping. So here we use the (fa 1/1) interface on Lefty as the source to ping the address on the Righty router.

Protocol [ip]:
Target IP address:
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms

Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the VPN creation). We can verify with “show crypto engine connections active”

Lefty#show crypto engine connections active
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec AES256+SHA 0 4
2 Fa0/0 IPsec AES256+SHA 4 0
1001 Fa0/0 IKE SHA+AES256 0 0

You can see we have one IKE connection and an IPSEC tunnel for each direction.

m00nie 🙂


  • It’s amazing…..i had this a project at work and your five steps made it incredible easy to understand and implement. thank you

  • This is so simple the way you present it. Will this also work in the case where, say, Lefty has a static IP address, but Righty does not? Can I configure the step with the IP address of the peer using a wildcard value? Or do I have to use some other VPN configuration? I have a Cisco 2901 and a Cisco 800. Thanks so much.

  • Hi m00nie

    Very nice job. I have a question, in step 5 you apply “crypto map” to interface fastEthernet 0/0, but in you picture only have interfaces f1/0 and f1/0, is a mistake?

    Thanks in advanced

  • Hi Roberto

    Glad it was of some use 🙂 Its was my typo so thanks for pointing it out. I’ve fixed it now.


  • Hi m00nie,

    Nicely presented the concept.
    Can you share your understanding about the inner communication(handshakes) happens in IKE phase1 and IKE phase2.

    Thanks in Advance

  • in case of nat: not allow the vpn traffic out of the nat.
    2.allow all the rest from the lan
    3.activate the nat…..

    Lefty(config)#access-list 111 deny ip
    Lefty(config)#access-list 111 permit ip any
    Lefty(config)#ip nat inside source list 111 interface Dialer0 overload

    hope it will help.

  • ❓ I have tried this lab because the ones I created to learn site-to-site VPN were not working.

    I’m getting the same problem here. I’m in GNS3 using and I opened the files supplied and entered the configuration shown here exactly. The phase 1 isakmp process never completes. Using wireshark, I never see a iskamp packet leave the interface.

    debugs show only this when reapplying crypto map
    ISAKMP: callback: no SA found for [vrf 0]

    Anyone else have this problem, or know how or why this might happen? (i can send configs but I’ve combed thru them for days and done it from scratch three times plus copying this lab.)

    Super stuck.

  • How do I make this work on a c2901 router…the crypto isakmp command is not recognized

  • Hi Elijah

    I’d guess its a image limitation. Probably best to check the Cisco feature navigator to check your image.


  • please tell me the protocol ip in testing and verifying section and how to get the value of average packet loss and jitter value….

  • Hi Pankaj

    Im not too sure what you mean? “Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms” is just the output from the extended ping on the router.


  • Like the article, but I am not sure it works, if I just use:

    ip route
    access-list 101 permit ip

    on right, and opposite on left I can ping across it. Makes since, I allowed access and created a static route, what is the benefit of the VPN in this case

  • hey m00nie, great job on the IPSEC VPN info.
    You’ve laid it out plain and simple. The concepts here are easy to understand and easy to remember.
    Thanks again mate, appreciate you time and efforts into this. Regards.

  • Hello m00nie

    Thank you for putting this together.

    I have tried this in the lab and it does not seem to work.

    Can you please upload the finished config for GNS3. that would be really help.
    many thanks
    Upen Desai

  • Configured as mentioned in scenario. connected two pc’s using VPC in gns3 and applied ip with lefty and f0/0 and for righty viz.

    But the following shown , which ip must i mention there?

    Source address or interface:
    % Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)

  • Hello friends,

    I need to establish Ipsec tunnel for my client.
    I have 2 links primary and secondary at both side.
    Protocol would be BGP. How can i make a Ipsectunnel fail over when primary link fails. please help me with the scenario & config.

  • Hi there.I have got a problem.When i want to config vpn configuration on router 3600, it does not accept the crypto can i so;lve this problem? thanks

  • Hi Sumon

    Give it a try? 🙂 You will need a static to get the tunnel built but after than you can run an IGP through the tunnel


  • Chief M00nie,

    Very good work here, I commend your effort. Apologies for stepping on your blog but, i do not think you need a static route, except you are using GNS routers to emulate the 2 PC’s connected to lefty and righty. If this is not the case, Any IGP configured on the two routers should provide you with end to end reach-ability. Once this is achieved, then you can apply your IPsec VPN configuration on both devices, and packets matched by the ACL “should” be encrypted as they pass through the lefty and righty link.

    My two cents.

  • Hi address-family

    The idea of the lab is that the internet is in between the two remote routers so an IGP wouldnt really work 🙂


  • Hi , what is the ios image and version used in this lab? i want to try it on GNS3 and this ios image doesnt work – (C3745-ADVENTERPRISEK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)


  • Hi Moonie ,

    I need a little help on my config. It doesnt WORK 🙁

    R2#sh crypto map
    Crypto Map “S2toS1” 10 ipsec-isakmp
    Peer =
    Extended IP access list 101
    access-list 101 permit ip
    Current peer:
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
    Interfaces using crypto map S2toS1:


    R1#sh crypto map
    Crypto Map “S1toS2” 10 ipsec-isakmp
    Peer =
    Extended IP access list 101
    access-list 101 permit ip
    Current peer:
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
    Interfaces using crypto map S1toS2:


    R1 – Fa0/0 – Fa0/0 – R2

  • Thanks for making this lab. It was very helpful! I got it to work using the instructions, but when I ping from PC to PC I don’t see the tunnel form and I can still ping? When I ping from lefty using the PC’s address as the source. The tunnel forms and I can see the debug statements in the log. Why doesn’t the tunnel form when pinging from the PC?

  • Hi Fred

    Im not too sure what you mean by the description you’ve given. How were you pinging from the router using the PCs IP? Whats the addresses you have used on each of the test hosts and can they ping their own gateways?


  • Hello, Thank you very much for providing us this useful solution. Would you please send me a solution for another scenario ? which is . one core router in HO 3 other routers in different branch and doing VPN on It. I would be very pleased if you email me this solution in my email :… You can also send this soln to me on packet tracer. Thank you.

  • Hi Wajid

    Yes you’ll need to configure righty too. The config snippets are just an example and hopefully help you see what would be needed for righty 🙂


  • i was searching all over the internet for easy and well explained example of vpn and your post made it so easier to understand it ! thanks a lot !!!

  • Hi Larry

    I kept NAT away from the lab since its really just to show the IPSEC config as simply as possible 🙂


  • can somebody please verify the last step for me
    Step 5. – Apply
    Lefty#conf t
    Lefty(config)#int fastEthernet 1/0
    Lefty(config-if)#crypto map LEFTY_TO_RIGHTY
    Lefty(config)#ip route

    Lefty(config)#ip route im getting % Invalid input detected at ‘^’ marker.

  • Hi Charles

    Its a little bit tough to say from the the format of your post but it looks like you may already have the static route configured? Whats the output from show run | i ip route?


  • I was searching all around for an easy way to setup ipsec site to site VPN. And I finally found your blog, I will go through this. Thanks for sharing

  • Hi.I’ve got this error.

    While pinging, when prompted for the Source address or interface, it shows error message ” Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)” when the input is

    Pl help.
    Thanks in adv.

  • Hi. I’ve encountered this problem.

    Source address or interface:
    % Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)

    Help please?
    Thanks in adv m00nie.

Leave a Reply

Your email address will not be published. Required fields are marked *