Cisco VPN Configuration Guide

🔐 Cisco VPN Configuration Guide

📌 Types of Cisco VPNs (Must Know)

Site-to-Site IPsec VPN (Branch ↔ Branch / Branch ↔ DC)

Remote Access VPN

IPsec (Cisco AnyConnect)

SSL VPN

GRE over IPsec (Advanced)

DMVPN (Conceptual – higher level)

1️⃣ Site-to-Site IPsec VPN (Cisco Router / ASA)

🔹 VPN Phases

PhasePurposePhase 1 (IKE)Secure channelPhase 2 (IPsec)Encrypt data

🔹 Phase 1 – IKE Policy

bash

Copy code

crypto isakmp policy 10 encr aes hash sha256 authentication pre-share group 14 lifetime 86400

🔹 Pre-Shared Key

bash

Copy code

crypto isakmp key MYSECRETKEY address 203.0.113.2

🔹 Phase 2 – IPsec Transform Set

bash

Copy code

crypto ipsec transform-set TS esp-aes esp-sha-hmac

🔹 Define Interesting Traffic (ACL)

bash

Copy code

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

🔹 Crypto Map

bash

Copy code

crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set TS match address 110

🔹 Apply Crypto Map to Interface

bash

Copy code

interface GigabitEthernet0/0 crypto map VPN-MAP

2️⃣ Remote Access VPN (Cisco AnyConnect – IPsec)

🔹 Create Address Pool

bash

Copy code

ip local pool VPN-POOL 10.10.10.1 10.10.10.50

🔹 ISAKMP Client Group

bash

Copy code

crypto isakmp client configuration group RA-VPN key VPNKEY pool VPN-POOL

🔹 User Authentication

bash

Copy code

username vpnuser secret vpnpassword

🔹 Apply Dynamic Crypto Map

bash

Copy code

crypto dynamic-map DYNMAP 10 set transform-set TS crypto map VPN-MAP 20 ipsec-isakmp dynamic DYNMAP

3️⃣ Cisco ASA Site-to-Site VPN (Very Common)

🔹 IKE Policy

bash

Copy code

crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 5 lifetime 86400

🔹 Tunnel Group

bash

Copy code

tunnel-group 203.0.113.2 type ipsec-l2l tunnel-group 203.0.113.2 ipsec-attributes pre-shared-key MYSECRETKEY

🔹 Crypto Map

bash

Copy code

crypto map OUTSIDE-MAP 10 match address VPN-ACL crypto map OUTSIDE-MAP 10 set peer 203.0.113.2 crypto map OUTSIDE-MAP 10 set ikev1 transform-set TS crypto map OUTSIDE-MAP interface outside

4️⃣ GRE over IPsec (Concept)

✔️ GRE → routing support

✔️ IPsec → encryption

bash

Copy code

interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2