8 Building VPN with IPSec - Examples and Solutions
8.1 Example of an IPSec VPN Configuration on Cisco Devices

In the first stage, you need to set ISAKMP IKE policies. The IKE policy serves IPsec to build an SA. However, a shared PSK key between the two parties must be created, so that the custom encryption keys will be derived from it. The DH mechanism is usually used to exchange keys. ISAKMP uses the UDP transport protocol on the port 500. An example of a policy configuration (authentication type, encryption and hash algorithm, DH groups, and SA life time in second units) can be seen in the following figure.

image
Configuration of ISAKMP IKE Policies on a Cisco Router

Additionally, you need to set up a shared PSK key so that the parties can to authenticate each other. The IP address of the other party is also defined within the command. The example is shown in the following figure.

image
Configuration of Shared Key PSK on Cisco Router

The second stage configures the IPsec custom settings. A set of algorithms for encryption and data integrity, known as TS (Transform Set), is defined. For example, we use the ESP protocol in combination with the HMAC algorithm SHA-1. The router will only be able to encrypt the traffic if it has so-called Interesting Traffic set using the conventional ACL (Access List) firewall rule. The parameters that are defined in this way combine the Crypto Map object, which - together with other additional parameters, such as the default address of the other side (generally, multiple addresses can be defined) and optional parameters as DH group, the IPsec SA life time (in seconds) – is applied to the appropriate WAN (Wide Area Network) interface. The above is evident from the example in the following figure.

image
Configuration of IPsec VPN on a Cisco router

Similarly, both IPsec phases must be set on the other communicating side (router)!!!

image
An example of topology to engage tasks in IPSec VPN