Skip to content

Configure IPsec VPN

Jump to bottom
FeIix edited this page Apr 26, 2026 · 5 revisions

Configuration of IPsec VPN

General Steps

Step IKEv1 IKEv2
1 IKE (Phase 1) ISAKMP policy IKEv2 proposal, policy and profile
2 IPsec (Phase 2) Transform set Transform set
3 Set authentication detail Set values for PSK or PKI Set values for PSK, PKI or AAA
Step Policy-based
(Crypto map)		 Route-based
(DMVPN & FlexVPN)
4 Define interesting traffic Extended ACL
5 Consolidate elements Crypto map referring to step 1, 2 and 4 IPsec profile referring to step 1 and 2
6 Apply to interface Physical interface Virtual tunnel interface (VTI)
7 Hub-and-Spoke NHRP and Multipoint GRE or Virtual-Template

Example 1: Site-to-Site Topology

image

Configurations on R1

  1. Configure IKE Phase 1 for ISAKMP SA to establish a management tunnel for both peers.

    crypto isakmp policy 10                                         //"10" is a policy number that smaller is preferred
 encryption aes                                                 //Encryption algorithm
 authentication pre-share                                       //Authentication based on PSK or cert
 group 16                                                       //Key-exchange algorithm
 exit

crypto isakmp key cisco123 address 61.232.0.2                   //Set a pre-shared key (password)

  2. Configure IKE Phase 2 for IPsec SA to define how the actual data traffic will be protected.

    crypto ipsec transform VPN-ESP-TS esp-aes 256 esp-sha256-hmac
 tunnel mode                                                    //Or set to transport mode

  3. Define "Interesting Traffic".

    ip access-list extend VPN permit ip 172.16.0.0 0.0.0.255 192.168.2.0 0.0.0.255       //The traffic meant to VPN

    Crucial: These ACLs must be mirrored on each side (Site B’s is permit 192.168.2.0 to 172.16.0.0).

  4. Create and bind Crypto Map. (If use VTI, configure an IPsec Profile instead.)

    crypto map IPSec-SiteA_to_SiteB isakmp-ipsec
 set transform VPN-ESP-TS
 match address list VPN
 set peer 61.232.0.2

  5. Apply crypto map to the outside (public-facing) interface.

    interface Ethernet0/0
 crypto map CMAP

  6. (Optional) Exempt VPN traffic from NAT
    As NAT is happened before IPsec, the source IP of the traffic initiated from internal subnet will be translated to the outbound public IP, which causes a mismatch with the configured match address (VPN interested traffic) and no IPsec encryption will happen.

    • Exclude VPN traffic from the NAT translation in the router Site-A;
      image

    • Also, exclude VPN traffic from the router Site-B;
      image

Example 2: Stateful Failover on Cisco ASA

Configuring stateful failover for IPsec VPN on a Cisco ASA (Adaptive Security Appliance) ensures that VPN connections remain active when a failover occurs between primary and secondary ASAs in an Active/Standby High Availability (HA) setup.

Step 1: Configure ASA Failover

Before enabling stateful IPsec failover, you must have a working Active/Standby failover setup. If you haven’t configured failover yet, follow these steps:

1. Enable Failover on Both ASAs

On the Primary ASA:

failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/1
failover link STATE GigabitEthernet0/2
failover interface ip FAILOVER 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover interface ip STATE 192.168.2.1 255.255.255.0 standby 192.168.2.2

On the Secondary ASA:

failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/1
failover link STATE GigabitEthernet0/2
failover interface ip FAILOVER 192.168.1.2 255.255.255.0 standby 192.168.1.1
failover interface ip STATE 192.168.2.2 255.255.255.0 standby 192.168.2.1

Make sure to connect the failover and stateful failover interfaces.

2. Enable Stateful Failover

To ensure VPN session persistence, enable stateful failover:

failover replication http
failover replication enable
failover stateful failover

Step 2: Enable Stateful IPsec VPN Failover

To ensure that IPsec SAs, ISAKMP SAs, and IKEv2 sessions fail over seamlessly:

1. Enable IPsec Stateful Failover

crypto ikev1 enable failover
crypto ikev2 enable failover
failover stateful-sync enable

Explanation:

  • crypto ikev1 enable failover → Synchronizes IKEv1 sessions
  • crypto ikev2 enable failover → Synchronizes IKEv2 sessions
  • failover stateful-sync enable → Enables replication of VPN state information

2. Verify Stateful IPsec Failover Configuration

To check if VPN sessions and failover settings are synchronized:

show failover state
show failover
show vpn-sessiondb detail
show crypto isakmp sa
show crypto ikev2 sa

Step 3: Test Failover

  1. Establish a VPN connection (e.g., from a remote site or AnyConnect client).

  2. Manually trigger a failover:

    failover active

  3. Verify that the VPN session remains active:

    show vpn-sessiondb

If configured correctly, IPsec VPN sessions should persist without disconnecting when failover occurs.

Summary

  • Failover must be stateful (failover stateful failover).
  • Enable replication for IKEv1 and IKEv2 sessions (crypto ikev1 enable failover and crypto ikev2 enable failover).
  • Test failover to ensure VPN session persistence.

Clone this wiki locally