Cisco IOS: VPN configuration example
This page provides more detailed information for configuring a Skytap VPN for use with a Cisco IOS endpoint on an external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as a sample configuration file for the Cisco IOS device.
For general information, see Creating a VPN connection to your Skytap account.
Contents
Skytap VPN configuration
Parameters to enter on the Skytap VPN page:
Parameter Name
Value to enter
Name
Name for the Skytap VPN
Example: CorporateVPN
Remote Peer IP
[CUSTOMER VPN ENDPOINT] value from the sample configuration file below
Region
N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).
Example: US-West
Skytap peer IP
An available public IP address in your Skytap account. Select a public IP in the same region as the VMs you want to connect to.
Example: 76.32.14.101
Enter this as the [SKYTAP VPN ENDPOINT] value in the sample configuration file below.
Skytap subnet
[SKYTAP VM IP RANGE] value from the sample configuration file below.
This is the range of VM IP addresses in Skytap that sends and receive traffic through this VPN. This can’t overlap with the included remote subnets defined below.
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Apply NAT for Connected Networks
YES
Topology
Policy-based
Phase 1 Encryption Algorithm
aes 256
Phase 1 Hash Algorithm
sha1
Phase 1 pre-shared Key
[SHARED SECRET KEY] value from the sample configuration file below
Phase 1 SA lifetime
28800
Phase 1 DH group
modp1536 (5)
Phase 2 encryption algorithm
aes 256
Phase 2 authentication algorithm
hmac_sha1
Phase 2 perfect forward secrecy (PFS)
OFF
Phase 2 PFS group
N/A
Phase 2 SA lifetime
N/A
SA policy level
require
Specify maximum segment size
NO
Maximum segment size
N/A
Dead peer detection
ON
Included remote subnets
[INTERNAL ALLOWED IP RANGE] value from the sample configuration file below.
These are the IP addresses and subnets on the external network that send and receive traffic through this VPN.
Example: 10.1.15.0/24
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Excluded remote subnets
Subset of IP addresses and subnets on the external network that should be excluded from using the VPN tunnel. This is only used to define exclusions for VPN traffic from larger included remote subnets.
Example: 10.1.15.17/32
Sample Cisco IOS device configuration file
These are the parameters to enter in the Cisco IOS device configuration file.
Replace [VARIABLES] with specific values from Skytap or corporate policy
crypto isakmp policy [UNIQUE NUMBER]
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key [SHARED SECRET KEY] address [SKYTAP VPN ENDPOINT]
crypto ipsec transform-set [TRANSFORM SET NAME] esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map [CRYPTO MAP NAME] [UNIQUE NUMBER] ipsec-isakmp
set peer [SKYTAP VPN ENDPOINT]
set transform-set [TRANSFORM SET NAME]
match address [ACL NAME]
interface [INTERNAL INTERFACE]
description [CUSTOMER PRIVATE IP ADDRESS]
ip address [CUSTOMER INTERNAL NETWORK]
interface [EXTERNAL INTERFACE]
description [CUSTOMER PUBLIC IP]
ip address [CUSTOMER VPN ENDPOINT]
crypto map [CRYPTO MAP NAME]
ip access-list extended [ACL NAME]
permit ip [INTERNAL ALLOWED IP RANGE] [SKYTAP VM IP RANGE]