Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn tunneling


Can any one help me to find out the VPN tunneling.What are the Steps for VPN tunneling. If possible please give one example with configuration

Thanks & Regards,



Re: vpn tunneling


There are multiple types of VPN.

- Site-to-Site VPN

- Remote Access VPN


There are multiple device that support VPN as well

- Cisco Router

- Cisco PIX/ASA Firewall

- Cisco VPN Concentrator

There are also multiple encryption




Which of the above?

Cisco IOS (Router) Site-To-Site VPN configuration

Cisco ASA/PIX Site-to-Site VPN Configuration



New Member

Re: vpn tunneling


Can you send the configuration for vpn ip sec for site to site.



New Member

Re: vpn tunneling

Virtual Private Networks Tutorial

Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.

For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.

In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.

In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.

Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.

VPN Tunneling Protocols

Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.

Configuring PIX Firewall 1 with VPN Tunneling

Follow these steps to configure PIX Firewall 1:

Step 1 Define a host name:

hostname NewYork

Step 2 Configure an ISAKMP policy:

isakmp enable outside

isakmp policy 9 authentication pre-share

isakmp policy 9 encrypt des

Step 3 Configure a pre-shared key and associate with the peer:

crypto isakmp key cisco1234 address

Step 4 Configure the supported IPSec transforms:

crypto ipsec transform-set strong esp-des esp-sha-hmac

Step 5 Create an access list:

access-list 90 permit ip

This access list defines traffic from network to Both of these networks use unregistered addresses.

Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.

Step 6 Exclude traffic between the intranets from NAT:

nat 0 access-list 90

This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.

Step 7 Enable NAT for all other traffic:

nat (inside) 1 0 0

Step 8 Assign a pool of global addresses for NAT and PAT:

global (outside) 1

global (outside) 1

The pool of registered addresses are only used for connections to the public Internet.

Step 9 Define a crypto map:

crypto map toSanJose 20 ipsec-isakmp

crypto map toSanJose 20 match address 90

crypto map toSanJose 20 set transform-set strong

crypto map toSanJose 20 set peer

Step 10 Apply the crypto map to the outside interface:

crypto map toSanJose interface outside

Step 11 Specify that IPSec traffic be implicitly trusted (permitted):

sysopt connection permit-ipsec

CreatePlease login to create content