Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site-to-site vpn secure lan?

Hi Expert,

I configure site-to-site vpn on cisco router to secure traffic like following config.

I just want to make sure it secure enough or I need to do more config.

Do I need to apply any acl to outside interface to secure my lan?




crypto isakmp policy 1

encr 3des

authentication pre-share

group 5


crypto isakmp key Cisco@2013 address


crypto ipsec transform-set trans esp-3des esp-md5-hmac


crypto map IPSEC_MAP 1 ipsec-isakmp

set peer

set transform-set trans

match address LinktoHQ


interface GigabitEthernet0/0.1

encapsulation dot1Q 123

ip address

crypto map IPSEC_MAP


interface GigabitEthernet0/1

ip address


ip route


ip access-list extended LinktoHQ

permit ip

deny ip any any


VIP Purple

Re: site-to-site vpn secure lan?

3DES is legacy encryption and MD5 should't be used any more at all. It's better to migrate to AES (128bit is ok and still better then 3DES) and SHA-1 at a minimum.

The PSK has to be long (up to 128 characters) and very random. If you configure both routers by your own and you don't have to negotiate the key by phone, then generate a very long random key and paste him into the config.

And you should have an ACL on the public interface that only allows needed traffic. For S2S VPN where both Endpoints are not NATted that is IP protocol 50 (ESP) and UDP/500 (ISAKMP).

For the interface-ACL, here is an example:

More on the selection of cryptographic algorithms (if you want to dig deeper into the stuff):

Sent from Cisco Technical Support iPad App

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
CreatePlease login to create content