crypto isakmp policy 10        #create crypto policy file

authentication pre-share      #use pre shared key

crypto isakmp key integer address 192.168.1.2 #address of remote tunnel

!

!

!

#use aes encryption and comp-lzs conpression. use transport mode.

crypto ipsec transform-set myset esp-aes esp-md5-hmac comp-lzs

!

mode transport   # transport mode tells IPSEC not to create a tunnel,

                       # this is used when you are using IPSEC for

                       # encryption only and not for tunneling.

!

crypto map mymap 10 ipsec-isakmp   # create the crypto map

set peer 192.168.1.2                      # the peer must match the ISAKMP statement

set transform-set myset                  # use the encyption we defined above

match address match-gre                # encrypt only packets in GRE tunnel

!

!

!

!

interface Tunnel0

ip address 172.20.1.1 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination 192.168.1.2

tunnel path-mtu-discovery

crypto map mymap              # crypto map must be applied to tunnel

!

!

!

!

interface FastEthernet0/1

description LAN INTERFACE

ip address 10.0.0.254 255.255.255.0

ip nat inside

duplex auto

speed auto

!

!

!

!

interface FastEthernet0/0

description Internet Interface

ip address 192.168.1.1 255.255.255.0

ip access-group allow-gre in

ip nat inside

duplex auto

speed auto

crypto map mymap   # crypto map must be applied to tunnel and public interface

!

!

!

!

ip access-list extended allow-gre

permit gre any any               # allow gre through the firewall

permit esp any any              #allow esp for ipsec through the firewall

permit udp any any eq 500    #allow udp port 500 through which ipsec also uses

!

!

#access-list to match tunnel traffic.

#This access list must be in the form (my public ip) (destination public ip)

ip access-list extended match-gre

 permit gre host 192.168.1.1 host 192.168.1.2 log