Since ASDM and CCP are mature enough, almost no one goes to CLI naturally when configuring Site-2-Site VPN. However manual stuff are always handy. I found this recipe in my Archive from when I was learning for CCSP… Still pretty neat after 4.5 years.
Documentation:
1. Document your IKE Phase 1 negotiation criteria (example below)
o Encryption algorithm: AES-128
o Hashing: SHA-1
o Authentication: pre-shared
o Key exchange: Diffie-Hellman Group 2
2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
o Encryption algorithm: esp-aes 128
o Authentication: esp-sha-hmac
Configuring IKE Phase 1:
1. Enable ISAKMP: Router(config)#crypto isakmp enable
2. Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>
o Router(config)#crypto isakmp policy 10
· Router(config-isakmp)#encryption aes 128
· Router(config-isakmp)#authentication pre-share
· Router(config-isakmp)#group 2
· Router(config-isakmp)#hash sha
3. Configure ISAKMP Identity: Router(config)#crypto isakmp identity
4. Configure pre-shared keys: Router(config)#crypto isakmp key address
Configuring IKE Phase 2:
1. Create transform sets: Router(config)#crypto ipsec transform-set
o Router(config)#crypto ipsec transform-set L2L-VPN-SET esp-aes 128 esp-sha-hmac
2. (optional) Configure IPSec lifetime: Router(config)#crypto ipsec security-association lifetime
3. Create mirrored extended numbered/named ACLs matching traffic to be encrypted and the traffic expected to be received encrypted
4. Set up IPSec crypto-map: Router(config)#crypto map ipsec-isakmp
o Router(config)#crypto map L2L-VPN-MAP 10 ipsec-isakmp
· Router(config-crypto-map)#match address
· Router(config-crypto-map)#set peer
· Router(config-crypto-map)#set pfs (optional)
· Router(config-crypto-map)#set transform-set
5. Apply the crypto map to interface that VPN will initiate and terminate:
o Router(config)#interface
o Router(config-if)#crypto map L2L-VPN-MAP
Verification:
o show crypto isakmp policy
o show crypto ipsec transform-set
o show crypto isakmp sa (Phase 1)
o show crypto ipsec sa (Phase 2)
o show crypto map
o debug crypto isakmp (Phase 1)
o debug crypto ipsec(Phase 2)