The following describes configurations performed using Cisco IOS.

1

Configure Interfaces and Default Route

interface GigabitEthernet0/0
ip address 10.24.120.90 255.255.252.0
duplex auto
speed auto
crypto map MYVPN
!
interface GigabitEthernet0/1
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.24.123.253
2

Configure IKE Policy

Router# config term
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# group 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# lifetime 28800
Router(config-isakmp)# authentication 
     pre-share
Router(config-isakmp)# exit
3

Match Each Peer with Its Pre-Shared Secret

Router# config term
Router(config)# crypto isakmp key vshield 
    address 10.115.199.103
Router(config-isakmp)# exit
4

Define the IPSEC Transform

Router# config term
Router(config)# crypto ipsec transform-set 
     myset esp-3des esp-sha-hmac
Router(config-isakmp)# exit
5

Create the IPSEC Access List

Router# config term
Enter configuration commands, one per line.  
     End with CNTL/Z.
Router(config)# access-list 101 permit ip 
     172.16.0.0 0.0.255.255 192.168.5.0 0.0.0.255
Router(config)# exit
6

Bind the Policy with a Crypto Map and Label It

In the following example, the crypto map is labeled MYVPN

Router# config term
Router(config)# crypto map MYVPN 1 
      ipsec-isakmp
% NOTE: This new crypto map will remain 
      disabled until a peer and a valid 
      access list have been configured.
Router(config-crypto-map)# set transform-set 
      myset
Router(config-crypto-map)# set pfs group1
Router(config-crypto-map)# set peer 
      10.115.199.103
Router(config-crypto-map)# match address 101
Router(config-crypto-map)# exit
router2821#show running-config output
Building configuration...

Current configuration : 1263 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router2821
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot 0
! card type command needed for slot 1
enable password cisco
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
ip cef
!no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key vshield address 10.115.199.103
!
crypto ipsec transform-set myset esp-3des 
      esp-sha-hmac
!
crypto map MYVPN 1 ipsec-isakmp
set peer 10.115.199.103
set transform-set myset
set pfs group1
match address 101
!
interface GigabitEthernet0/0
ip address 10.24.120.90 255.255.252.0
duplex auto
speed auto
crypto map MYVPN
!
interface GigabitEthernet0/1
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.24.123.253
!
ip http server
no ip http secure-server
!
access-list 101 permit ip 172.16.0.0 
       0.0.255.255 192.168.5.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
scheduler allocate 20000 1000
!
end