Enable ISAKMP
crypto isakmp enable
Phase 1 settings
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key secretpw address 172.19.140.205
Phase 2
ACL to match traffic
ip access-list extended GBY-VPN
permit ip 10.55.1.0 0.0.0.255 10.255.1.16 0.0.0.15
ip access-list extended GBY-VPN
permit ip 10.55.1.0 0.0.0.255 10.255.1.16 0.0.0.15
Transform set
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode tunnel
Crypto map
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer 172.19.140.205
set transform-set AES-SHA
match address GBY-VPN
set peer 172.19.140.205
set transform-set AES-SHA
match address GBY-VPN
The parts people forget
Apply the crypto map to the outside interface
interface GigabitEthernet1
crypto map VPN-TUNNEL
Make sure there is a route to other sides public IP
ip route 0.0.0.0 0.0.0.0 172.19.140.1
No NAT may also be required if you have global NAT setup
ip access-list extended NAT_ADDRESSES
5 deny ip 10.55.1.0 0.0.0.255 10.255.0.0 0.0.0.255
