# Cisco ## Step 1 - Creating a new branch connection [Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/) Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation). Choose **IPSec** **Protocol**, and click **Continue**. Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps. Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control. {% hint style="info" %} You may return to the configuration via the **Edit** button of your Branch at any time. {% endhint %} {% hint style="info" %} **Example of configuration (Default preset):** * **Shared Secret** - Create a new strong password * **Public IP** - IP of your Cisco * **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds) * **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds) * **Dead Peer Detection Delay** - 30 seconds * **Encryption (Phase 1)** - aes256 * **Encryption (Phase 2)** - aes256 * **Integrity (Phase 1)** - sha256 * **Integrity (Phase 2)** - sha256 * **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096 * **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096 {% endhint %} ## Step 2 - Creating a new IPSec profile Log in to your Cisco device, and go to **VPN** > **IPSec Profiles**. Click **Add** to create a new profile. Give the profile a name and set the configuration as follows: * **Keying mode** - Auto * **IKE Version** - IKEv2 * **Phase I & II Options** - Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection) Click **Apply** to confirm your settings.
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec profile.

Creating a new IPSec profile

## Step 3 - Creating a new site-to-site connection Go to **VPN** > **Site-to-Site**. Click the **Add** button to create a new connection. Give the connection a name and set the configuration as follows: * **IPSec Profile** - Select the profile you just created [(Step 2)](#step-2-creating-a-new-ipsec-profile) * **Remote Endpoint** - Select Static IP and enter the IP of your GoodAccess Gateway #### Local/Remote IKE Authentication Method * **Pre-shared Key** - Shared Secret from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection)
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new site-to-site connection.

Creating a new site-to-site connection

### **Local Group Setup** * **Local Identifier Type** - Local WAN IP * **Local Identifier** - Your public IP * **Local IP Type** - Subnet * **IP Address** - IP of your network * **Subnet Mask** - Your Subnet Mask ### **Remote Group Setup** * **Remote Identifier Type** - Remote WAN IP * **Remote Identifier** - IP of your GoodAccess Gateway * **Remote IP Type** - Subnet * **IP Address** - Subnet of your GoodAccess Gateway * **Subnet Mask** - Subnet Mask of your GoodAccess Gateway Don't forget to **Apply** changes.
Router's graphical user interface (GUI) showing configuration for the Local & Remote Group Setup sections of a site-to-site connection.

Setting up the local & remote group setup of a site-to-site connection

You have now successfully connected your device to GoodAccess. {% hint style="warning" %} **Firewall rules** Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports: * **UDP 500** * **UDP 4500** {% endhint %} {% hint style="info" %} **You may check the status of the connection in:** * **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled). * **Cisco:** Go to **VPN > Site-to-Site > Status > VPN Status**. {% endhint %} ## Step 4 (optional) - Enabling DPD Switch to **Advanced Setup** and **enable DPD (Dead Peer Detection)**. Click **Apply** to confirm your settings.
Router's graphical user interface (GUI) with arrows highlighting key steps to enabling Dead Peer Detection (DPD) for a site-to-site connection.

Setting up DPD (Dead Peer Detection)

## Step 5 (optional) - Saving the configuration Click on the **Red floppy disk** icon to access **Configuration Management**, and click on **Apply**. {% hint style="info" %} By saving the configuration, you prevent the risk of losing your IPsec configuration even if the router reboots or loses power. {% endhint %}
Router's graphical user interface (GUI) with arrows highlighting key steps to saving the configuration.

Saving the configuration