What is IPsec?

IPsec VPN (internet protocol security) is a protocol or method to encrypt the traffic between two branches or sites. It is used to secure the traffic over an untrusted network, and we can understand by its name that it provides security of INSIDE network IPs.

It provides Confidentiality, Integrity, and Authentication over the network.

What is VPN?

It stands for Virtual Private Network. it is used to connect two private networks of different locations or sites over in a public network.  It implements by IPsec for connecting two sites.

What is IKE (IKEV1 and IKEV2)?

It stands for Internet Key Exchange. IKE is a protocol that is used to set up the keys for negotiating the IPsec VPN. IPsec uses IKE for creating a virtual tunnel between two sites

IKE has 2 versions. We will use IKEV1 for IPSEC VPN.

The Process to Configure site-to-site IPsec VPN

We have two branches (Branch 1 and Branch 2) and we have to protect traffic over the ISP of branches.

Configuration on Branch1 ASA (firewall):-

Step 1:-  Create Crypto Ikev1 Policy
  • In this step, we will configure the HAGLE information.
  • Hash, authentication, group, encryption must be the same on both sides.

              ASA1(config)# crypto ikev1 policy 10

              ASA1(config-ikev1-policy)# hash sha

              ASA1(config-ikev1-policy)# authentication pre-share

              ASA1(config-ikev1-policy)# group 2

              ASA1(config-ikev1-policy)# lifetime 86400

              ASA1(config-ikev1-policy)# encryption 3des

Step 2:- Create A Tunnel-Group To Specify A Pre-Shared Key For Peer.
  • The pre-shared key should be the same on both sides
  • To create a tunnel group, there are two steps :
  • Create tunnel-group

               ASA1(config)# tunnel-group type IPsec-l2l

  • Specify pre-shared key in tunnel-group

               ASA1(config)# tunnel-group IPsec-attributes

               ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key cisco

Step 3:- Create IPsec Transform-Set

               ASA1(config)# crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac

Step 4:- Define Interesting Traffic ACCESS-LIST
  • Traffic which we want to secure via VPN that is Interesting traffic ( and

               ASA1(config)# access-list VPN-ACL permit Ip host host

Step 5:- Create A Crypto Map
  • It is used to create a particular list of VPN ACCESS-LIST, TRANSFORM-SET, and PEER IP.

               ASA1(config)# crypto map CMAP 10 set peer

               ASA1(config)# crypto map CMAP 10 set ikev1 transform-set TSET

               ASA1(config)# crypto map CMAP 10 match address VPN-ACL

Step 6:- Enable IKEV1 And Apply Crypto Map On The Interface

               ASA1(config)# crypto map CMAP interface outside

               ASA1(config)# crypto ikev1 enable outside

Step 7:- Apply Same Steps For Branch 2 ASA Device
  • Ip addresses will not same. Make sure to use the correct IP addresses for Branch2 ASA.

The complete configuration of Branch2 ASA is here.

Zindagi Technologies has proven of an expert in the field of configuring Remote VPN, Site to Site VPN, Plain GRE, or MPLS VPN, VPN deployments. If you want to use VPN on your sites and to provide remote services to your users then you can avail of this service from us. Not just this, but there are many more services like data center services, cloud solutions, managed IT services, IT Consultant, Network infrastructure, cryptography, AI, IT security, and cyber security. We are the top IT consulting company in Delhi and you can contact us. We have our doors open to receive any solution requirements. You can reach out to us at +919773973971.

Vijay Kumar
Associate Consultant

Comments (4)

  1. jatin hirdyani
    January 28, 2022

    u r so nicely going to ur work congrats 💓

  2. Cisco-Lord123
    June 29, 2023

    Nice Guide! Direct to the point! keep up the good work!

  3. Tobias Ndlovu
    July 16, 2023

    You are the best🙏 thank you so much

  4. Sandeep Balayan
    August 8, 2023

    NONAT or UNAT is not configured here . IPSEC tunnel traffic should not be Natted so we need to specify this issue .

Leave a comment