Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site-to-site vpn secure lan?

Hi Expert,

I configure site-to-site vpn on cisco router to secure traffic like following config.

I just want to make sure it secure enough or I need to do more config.

Do I need to apply any acl to outside interface to secure my lan?

Thanks

sitevpn.jpg

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 5

!

crypto isakmp key Cisco@2013 address 100.100.100.1

!

crypto ipsec transform-set trans esp-3des esp-md5-hmac

!

crypto map IPSEC_MAP 1 ipsec-isakmp

set peer 100.100.100.1

set transform-set trans

match address LinktoHQ

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 123

ip address 100.100.100.2 255.255.255.0

crypto map IPSEC_MAP

!

interface GigabitEthernet0/1

ip address 192.100.138.1 255.255.255.0

!

ip route 192.100.110.0 255.255.255.0 100.100.100.1

!

ip access-list extended LinktoHQ

permit ip 192.100.138.0 0.0.0.255 192.100.110.0 0.0.0.255

deny ip any any

!

1 REPLY
VIP Purple

Re: site-to-site vpn secure lan?

3DES is legacy encryption and MD5 should't be used any more at all. It's better to migrate to AES (128bit is ok and still better then 3DES) and SHA-1 at a minimum.

The PSK has to be long (up to 128 characters) and very random. If you configure both routers by your own and you don't have to negotiate the key by phone, then generate a very long random key and paste him into the config.

And you should have an ACL on the public interface that only allows needed traffic. For S2S VPN where both Endpoints are not NATted that is IP protocol 50 (ESP) and UDP/500 (ISAKMP).

For the interface-ACL, here is an example: https://supportforums.cisco.com/docs/DOC-38580

More on the selection of cryptographic algorithms (if you want to dig deeper into the stuff):
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html


Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
127
Views
0
Helpful
1
Replies
CreatePlease login to create content