Возникла необходимость связать сеть офиса с удаленной серверной стойкой и, так как в наличии есть две Cisco 2811, было решено использовть IPSec VPN. Схема подключения:

Схема подключения

Роутер 1

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key vpnuser address 10.2.2.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.2.2.2
 set transform-set myset
 match address 110
!
interface FastEthernet0/0
 description OUTSIDE
 ip address 10.1.1.1 255.255.255.0
 crypto map mymap
!
interface FastEthernet0/1
 description INSIDE
 ip address 192.168.1.1 255.255.255.0
!
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 10.2.2.0 0.0.0.255

Роутер 2

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key vpnuser address 10.1.1.1
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set myset
 match address 110
!
interface FastEthernet0/0
 description OUTSIDE
 ip address 10.2.2.2 255.255.255.0
 crypto map mymap
!
interface FastEthernet0/1
 description INSIDE
 ip address 192.168.2.1 255.255.255.0
!
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
access-list 100 deny   ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Чтобы поднять подключение достаточно отправить пинг из одной сети в другую, например:

Router-1#ping 10.2.2.2 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 4/5/8 ms