In the first stage, you need to set ISAKMP IKE policies. The IKE policy serves IPsec to build an SA. However, a shared PSK key between the two parties must be created, so that the custom encryption keys will be derived from it. The DH mechanism is usually used to exchange keys. ISAKMP uses the UDP transport protocol on the port 500. An example of a policy configuration (authentication type, encryption and hash algorithm, DH groups, and SA life time in second units) can be seen in the following figure.
Additionally, you need to set up a shared PSK key so that the parties can to authenticate each other. The IP address of the other party is also defined within the command. The example is shown in the following figure.
The second stage configures the IPsec custom settings. A set of algorithms for encryption and data integrity, known as TS (Transform Set), is defined. For example, we use the ESP protocol in combination with the HMAC algorithm SHA-1. The router will only be able to encrypt the traffic if it has so-called Interesting Traffic set using the conventional ACL (Access List) firewall rule. The parameters that are defined in this way combine the Crypto Map object, which - together with other additional parameters, such as the default address of the other side (generally, multiple addresses can be defined) and optional parameters as DH group, the IPsec SA life time (in seconds) – is applied to the appropriate WAN (Wide Area Network) interface. The above is evident from the example in the following figure.
Similarly, both IPsec phases must be set on the other communicating side (router)!!!