ItsyourIP.com

How to configure Site-Site IPSec VPN in Cisco Routers (IOS)

Written by

admin

in

, ,

Virtual Private Network (VPN) is a network which uses a shared network infrastructure (Internet) which allows a secure access between two networks or securely connects a remote user to his corporate network.

Let's check out here how to configure a Site to Site VPN using a Pre-shared Key in Cisco Routers running Cisco IOS

Let's use a HQ-Branch office network setup with the following:

Authentication Method: Pre-Shared Key

Encryption Algorithm: 3DES

Hash Algorithm: SHA

HQ Router External IP : 172.10.10.100

(Peer IP for Branch Network)

HQ Internal Network: 172.11.1.0/24

Branch Router External IP : 10.1.1.100

(Peer IP for HQ Network)

Branch Internal Network: 10.11.2.0/24

Configuring IKE Policies

Create an IKE Policy

From the global configuration mode, create a new IKE Policy.

VPN-HQ(config)# crypto isakmp policy 1

Set the Keep-Alive & Retry intervals

The default Keep-Alive time os 10 seconds and retry when the keep-alive fails is 2 seconds. If you prefer changing this value then do the following else can be ignored

VPN-HQ(config-isakmp)# crypto isakmp keepalive 15 retry 3

Specify the Encryption Algorithm

I'm using 3DES encryption method here

VPN-HQ(config-isakmp)# encryption 3des

Specify the HASH Algorithm

I'm using sha hashing algorithm here

VPN-HQ(config-isakmp)# hash sha

Set the Authentication Method

We are using Pre-shared key here for Authentication

VPN-HQ(config-isakmp)# authentication pre-share

Set the Diffe-Hellman Group Identifier

We are using DH Group-2 (1024)

VPN-HQ(config-isakmp)# group 2

Specify SA's lifetime (seconds)

Set the lifetime of the Security Associations in seconds. I'll set it for 24hrs (86400 seconds) here

VPN-HQ(config-isakmp)# lifetime 86400

Set Pre-shared Key

The Authentication method we use here is the Pre-Shared key. We should now set this previously agreed shared key (don't exchange on emails. Use your phone,letters or faxes) from the global configuration mode.I'll use a simple pre-shared key "0urVpN" but use more complex key when configuring a production system.

VPN-HQ(config)# crypto isakmp key 0urVpN address 10.1.1.100

where 10.1.1.100 is the Peer routers IP Address and "0urVpN" is the pre-shared key.

Define Transformation Set

We set the transformation of ESP-3DES transform and ESP-SHA-HMAC transform to Transformation set 3DES-SHA-HMAC

VPN-HQ(config)# crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac

VPN-HQ(cfg-crypto-trans)# exit

Setup a Crypto ACL

This ACL defines the protected traffic that passes through the VPN tunnel. Customize the ACL as per your organisation needs.

VPN-HQ(config)# ip access-list 101 permit ip 172.11.1.0 0.0.0.0 10.11.2.0 0.0.0.0

Create an IPSec Map

Create an IPSec Crypto Map and assign it a Sequence number

VPN-HQ(config)# crypto map HQ-BR1-MAP 2 ipsec-isakmp

where 2 is the sequence number and HQ-BR1-MAP is the nameof the map.

Set the Network traffic to be protected

Here use the extended ACl created earlier to define the traffic that is protected and passed through the tunnel.

VPN-HQ(config-crypto-map)# match address 101

where 101 is the Extended ACL

Set the Peer Address

VPN-HQ(config-crypto-map)# set peer 10.1.1.100

Set Transform Set

VPN-HQ(config-crypto-map)# set 3DES-SHA-HMAC

Set Perfect Forwarding Secret

VPN-HQ(config-crypto-map)# set pfs group 2

Apply Crypto Map to the external Interface

VPN-HQ(config)# int fa0/0

VPN-HQ(config-if)# crypto map HQ-BR1-MAP

Allow inbound IPSec traffic from the Peer on the external interface

VPN-HQ(config)# ip access-list 102 permit udp host 10.1.1.100 any eq isakmp

VPN-HQ(config)# ip access-list 102 permit esp host 10.1.1.100 any

That completes the configuration on the Cisco Router at the HQ. Repeat the procedure with only changing

1. The Peer IP in the steps for setting the Pre-shared Key & setting Peer.

2. Modify the ACLs for the protected networks

3. Inbound ACL to allow incoming traffic from peer

To verify the configs, use the following show commands:

Display Crypto IKE Policy

VPN-HQ# show crypto isakmp policy

Display Crypto Transform Set

VPN-HQ# show crypto ipsec transform-set

Display Crypto Map entries

VPN-HQ# show crypto map

Comments

7 responses to “How to configure Site-Site IPSec VPN in Cisco Routers (IOS)”

  1. Mahesh More Avatar
    Mahesh More

    This is very good note on building VPN. Very easy explaination

  2. Waqas Avatar
    Waqas

    thnx man !!

  3. Waqas Avatar
    Waqas

    what IOS do i require to make this configuration possible??

  4. mazi Avatar
    mazi

    Excellent. Easy to understand for a first-timer like me. Thank you.

  5. doug Avatar
    doug

    Your wildcard mask in your ACL is wrong. All traffic will be denied.
    should be 0.0.0.255 otherwise your ACL will not work.

  6. smooth Avatar
    smooth

    Setup a Crypto ACL

    This ACL defines the protected traffic that passes through the VPN tunnel. Customize the ACL as per your organisation needs.

    VPN-HQ(config)# ip access-list 101 permit ip 172.11.1.0 0.0.0.0 10.11.2.0 0.0.0.0

    Is the above access-list statement right . packet tracer not accepting this

  7. jude Avatar
    jude

    The problem is the access-list,the wild card of 0.0.0.0 is expecting an ip add of 172.11.1.0.
    NOTE: zesros means i care while ones means i do not care in access-list wild card.

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts