How to configure IPSEC Tunnel configurations between two routers across Internet

Today I am going to talk about the IPSEC configurations between two routers in the LAN segments. I know most of you understand the theoretical and the configuration part of the IPSEC in details. In this article I am just taking the example of the IPSEC configuration between two routers in a LAN network or you can say that it is a LAN to LAN IPSEC configurations between two routers.

The article is based in the assumption of the routers as i took Cisco routers in the example, These models are Cisco 3640 routers which is i knew end of sale as of now. Cisco 3640 is a modular Access routers and uses in small or branch offices.

                                                 Fig 1.1- IPsec Tunnel between Sites                                                           

Lets take below mentioned topology to understand the configuration of IPSEC on one of the router named Router A. So in the below example we have the LAN to LAN IPSEC tunnel between the routers via Internet link. where the host behind the router A wants to talk to host behind the router B. Make sure you know that IPSEC is generally used where the intermediate network is Internet via which you have the secure connectivity.

The other way to connect the same via the internet is DMVPN which i already talked in the earlier article. The only difference between the IPSEC and DMVPN is that IPSEC is a point to point connection between the two routers and DMVPN can be point to point, point to multi-point hub to Spoke type of connections with same features there in the IPSEC.

Now let's talk about the IPSEC configuration part for the below mentioned Topology. I will take through all the configurations on Router A and its you guys who need to create the configurations on Router B.

All the IP addresses and the used Topology below is just an example and has no relevance with any of the live network or with the enterprise network anyhow.

                                               Fig 1.2- IPSEC Tunnel                                                   

Router Configurations on Router A
Create an ISAKMP policy for Phase 1 and negotiations for the L2L tunnels

crypto isakmp policy 10
hash md5
authentication pre-share

Specify pre-shared key and remote peer address and to match for the L2L tunnel.
crypto isakmp key vpnuser address
Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set myset esp-des esp-md5-hmac

Create the actual crypto map. Specify the peer IP address, transform set, and an access control list (ACL) for the split tunnelling.

crypto map mymap 10 ipsec-isakmp
 set peer
 set transform-set myset
match address 100
interface Ethernet0/0
ip address

Apply the crypto map on the outside interface

interface Serial2/0
ip address
crypto map mymap
ip http server
no ip http secure-server
ip route

Create an ACL for the traffic to be encrypted. In this example,the traffic from to is encrypted. The traffic which does not match the access list is unencrypted for the Internet.

access-list 100 permit ip
line con 0
line aux 0
line vty 0 4

Similarly, we can have the same kind of configurations on other router in the network which is Router B.