برای کانفیگ تانل Site-to-Site در IPSec مطابق سناریو بالا در روتر Router_A:
Router_A(config)# crypto isakmp policy 10
Router_A(config-isakmp)# encr 3des
Router_A(config-isakmp)# hash sha256
Router_A(config-isakmp)# authentication pre-share
Router_A(config-isakmp)# group 2
Router_A(config-isakmp)# lifetime 28800 Router_A(config)# crypto isakmp key Virgool.secret address 20.20.20.20 Router_A(config)# ip access-list extended Virgool_ACL Router_A(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 Router_A(config)# crypto ipsec transform-set Virgool_TS esp-3des esp-sha256-hmac Router_A(config)# crypto map Virgool_MAP 10 ipsec-isakmp Router_A(config-crypto-map)# set peer 20.20.20.20 Router_A(config-crypto-map)# set transform-set Virgool_TS Router_A(config-crypto-map)# match address Virgool_ACL Router_A(config)# interface gig 0/0 { WAN port } Router_A(config- if)# crypto map Virgool_MAP
و سپس کانفیگ Router_B:
Router_B(config)# crypto isakmp policy 10
Router_B(config-isakmp)# encr 3des
Router_B(config-isakmp)# hash sha256
Router_B(config-isakmp)# authentication pre-share
Router_B(config-isakmp)# group 2
Router_B(config-isakmp)# lifetime 28800 Router_B(config)# crypto isakmp key Virgool.secret address 10.10.10.10 Router_B(config)# ip access-list extended Virgool_ACL Router_B(config-ext-nacl)# permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255 Router_B(config)# crypto ipsec transform-set Virgool_TS esp-3des esp-sha256-hmac Router_B(config)# crypto map Virgool_MAP 10 ipsec-isakmp Router_B(config-crypto-map)# set peer 10.10.10.10 Router_B(config-crypto-map)# set transform-set Virgool_TS Router_B(config-crypto-map)# match address Virgool_ACL Router_B(config)# interface gig 0/0 { WAN port } Router_B(config- if)# crypto map Virgool_MAP
برای اعتبار سنجی و دیباگ کردن نیز:
Router_A#show crypto ipsec sa
Router_A#show crypto isakmp sa
dst src state conn-id slot status 20.20.20.20 10.10.10.10 QM_IDLE 1 0 ACTIVE
Router_A#debug crypto isakmp