Tuesday, May 8, 2012

Cisco to Cisco IPsec-manual Decrypt packets - Part 1

We will split this blogtorial into 2 parts. Part 1 will concentrate on how to setup up the IPsec-manual tunnel and Part 2 will concentrate on how to decrypt the traffic between the two VPN end points. Reason we are setting up a ipsec-manual instead of a ipsec-isakmp VPN is because we cannot get the IPsec session keys to decrypt the packet if isakmp is used.

Consider this simple 2 router topology and let's get started. 

First we need to get the interfaces configured.


Next let's define the crypto map, session keys etc. and apply it to the interface.


  • Define the transform set - encryption protocol des and authentication protocol hmac-sha
  • Define the crypto map and set it to ipsec-manual 
  • Set the inbound session keys and outbound session keys
  • Match the "interesting" traffic. In this case it will be ICMP between the 2 routers which we will define next


  • Define the "interesting" traffic ACL
  • Apply it to the interface
Now at this point we should be able to ping across and the ICMP packets should be encrypted.


We have successfully created a static ipsec-manual VPN between the 2 end points.

Let's move on to Part 2