Network technologies and trends

Dec 28 2015   4:12AM GMT

How to configure Site-to-Site IPSec VPN on Cisco Routers? – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
ACL
Cisco
CRYPTO
IPsec
VPN

In my previous post we talked briefly about IPSec. We will be using the below topology for our set up.

Site to Site IPSEC VPN

The whole topology was built using Cisco VIRL , in the above example we will built a Site-to-Site IPSec VPN between Router R1 and R2 and allow the communication between R1 Lan Subnet 192.168.1.0 to R2 Lan Subnet 10.10.2.0.

Before starting make sure you have reachability to peer routers, i.e you can ping R2 WAN IP 2.2.2.2 from R1 and vice versa

Site-to-Site VPN1

Step 1: Configure an Interesting traffic which you want to encrypt on the public domain using the ACL.

R1

ip access-list extended VPN-ACL

permit ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

R2

ip access-list extended VPN-ACL

permit ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 2 : Configure  NAT exemption ( If you are using NAT on the  Routers for internet access then this step is must, if you not using NAT then you can skip this step and proceed to step 4.). Basically we use ACLs to exclude the NATing for the VPN traffic passing through VPN tunnel from Site 1 to Site 2

R1

ip access-list extended NO-NAT-ACL

deny   ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

R2

ip access-list extended NO-NAT-ACL

deny   ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.2.0 0.0.0.255 any

Step  3: Configure the NAT on both the routers and enable the NAT functionality ( Use this step if step 2 was configured if not proceed to step 4)

R1

ip nat inside source list NO-NAT-ACL interface GigabitEthernet0/1 overload

interface GigabitEthernet0/1

ip nat outside

interface GigabitEthernet0/2

ip nat inside

 

R2

ip nat inside source list NO-NAT-ACL interface GigabitEthernet0/1 overload

interface GigabitEthernet0/1

ip nat outside

interface GigabitEthernet0/2

ip nat inside

Step 4:  Configure Phase 1 (ISAKAMP) of IPSec so that a secure tunnel is established between R1 and R2, we will be using following parameter for phase 1 part

Encryption 3DES ( we can use DES and AES as well)
Hash MD5 (SHA can also be used)
Pre-Shared key itke
Group Deffie-Helman Group 2 ( Other options are also available )

Site-to-Site VPN2

R1

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

exit

 

crypto isakmp key itke address 2.2.2.1

 

R2

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

exit

crypto isakmp key itke address 1.1.1.1

Step 4 : Lets configure  Phase 2 (IPSEC) , in this phase IPSec security parameter are negotiated

 R1

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

exit

crypto map MYVPN 10 ipsec-isakmp

set peer 2.2.2.1

set transform-set MYSET

match address VPN-ACL

exit

 

interface gi 0/1

crypto map MYVPN

R2

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

exit

crypto map MYVPN 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address VPN-ACL

exit

interface gi 0/1

crypto map MYVPN

By following above steps one can configure Site-to-Site IP Sec VPN. Now lets try verify if the IPSEC tunnel is established between Site 1 and Site 2

The most important command to verify the Security Association establishment between two router is use “show  crypto isakmp sa

Site-to-Site VPN 3

We could see from the above output the Security Association is not established , why is this so?

Unless the traffic is not initiated from either of site the SA will never come up, let try to ping Site 1 IP 192.168.1.1 from R2 sourcing its Lan network

Site-to-Site VPN3

After initiating the traffic we could SA is established , the state QM_IDLE and status : ACTIVE are very important parameters, these  two parameters ensure the IPSec tunnel is established successfully.

One more verification command “show crypto ipsec sa” verifies and reports weather the data transmitted over the tunnel is encrypted and decrypted

Site-to-Site VPN4

The above output ensures that both encryption and decryption is occurring over the tunnel and our traffic is safe over the internet. If some one wants the VIRL topology they can ping me I can email the VIRL topology file by email.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: