In this tutorial I am going to show you how we can configure site to site VPN on two IOS routers. In this example I have used 3750 Router in emulated environment.
VPN stands for Virtual Private Network, in which you extend your corporate network across internet in secure fashion. In VPN it has different types and two main types are as follows:
Site-to-Site VPN
Remote Access VPN
Remote Access VPN
Site-to-Site is manly used to do connectivity between HQ and branches. Whereas, Remote Access is mainly used by mobile user, software is installed and proper credentials provided so that they can connect to Corporate Network from anywhere and can access anything they are authorized for.
Following is diagram with related information we need to start with.
So there are following steps your need to do on both routers in order to make them communicate over the Service Provider Network Securely.
Step 1: IKE Phase 1
Step 2: IKE Phase key
Step 3: IKE Phase 2 (transform-set)
Step 4: Interested traffic (which is going to be encrypted in our case network behind our routers will be encrypted)
Step 5: Crypt map
a) Interested traffic
b) Transform Set
c) Peer Address
Step 6: Apply Crypto map to interface
Step 2: IKE Phase key
Step 3: IKE Phase 2 (transform-set)
Step 4: Interested traffic (which is going to be encrypted in our case network behind our routers will be encrypted)
Step 5: Crypt map
a) Interested traffic
b) Transform Set
c) Peer Address
Step 6: Apply Crypto map to interface
Note: Prior to start my core configuration for VPN, routers are already configured with IP addresses and default routes are also configured on both HQ and branch. So lets test the connectivity first, as it much important in VPN than any other because with VPN there are a lot of pieces which need to be put in at right place so doing verification along the way is best practice.
HQ
----
----
HQ#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/48 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/48 ms
It’s reaching to ISP router. Gr8, now we will verify Branch side.
Branch#ping 10.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/36 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/36 ms
Branch is also reaching to its ISP.
Please also find default routes which are configure on the HQ and Branch routers.
HQ#show running-config | include ip route
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Branch#show running-config | include ip route
ip route 0.0.0.0 0.0.0.0 10.1.1.5
ip route 0.0.0.0 0.0.0.0 10.1.1.5
Once last step is agree on what parameter will be used for both sides. In our case I agreed on following attributes
Attributes | HQ | Branch |
Authentication | Pre-shared | Pre-shared |
Encryption | 3des | 3des |
Hash | Md5 | Md5 |
Group | 2 | 2 |
Transform Set | esp-3des esp-md5-hmac | esp-3des esp-md5-hmac |
Interested Traffic | 192.168.1.0/24 -> 192.168.2.0/24 | 192.168.2.0/24 -> 192.168.1.0/24 |
HQ
!
hostname HQ
! IKE Phase 1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
! IKE Phase 1 key
crypto isakmp key cisco123 address 10.1.1.6
!
! IKE Phase 2
crypto ipsec transform-set BRANCH esp-3des esp-md5-hmac
! Crypto Map combining all the parameter here
crypto map MYMAP 1 ipsec-isakmp
set peer 10.1.1.6
set transform-set BRANCH
match address 101
! After assigning crypto map under outgoing interface
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
crypto map MYMAP
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
! Traffice which going to be encrypted
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
end
!
hostname HQ
! IKE Phase 1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
! IKE Phase 1 key
crypto isakmp key cisco123 address 10.1.1.6
!
! IKE Phase 2
crypto ipsec transform-set BRANCH esp-3des esp-md5-hmac
! Crypto Map combining all the parameter here
crypto map MYMAP 1 ipsec-isakmp
set peer 10.1.1.6
set transform-set BRANCH
match address 101
! After assigning crypto map under outgoing interface
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
crypto map MYMAP
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
! Traffice which going to be encrypted
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
end
BRANCH
!
hostname BRANCH
! IKE Phase 1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
! IKE Phase 1 key
crypto isakmp key cisco123 address 10.1.1.1
!
! IKE Phase 2
crypto ipsec transform-set HQ esp-3des esp-md5-hmac
! Crypto Map combining all the parameter here
crypto map MYMAP 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set HQ
match address 101
! After assigning crypto map under outgoing interface
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
crypto map MYMAP
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
! Traffice which going to be encrypted
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
end
!
hostname BRANCH
! IKE Phase 1
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
! IKE Phase 1 key
crypto isakmp key cisco123 address 10.1.1.1
!
! IKE Phase 2
crypto ipsec transform-set HQ esp-3des esp-md5-hmac
! Crypto Map combining all the parameter here
crypto map MYMAP 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set HQ
match address 101
! After assigning crypto map under outgoing interface
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
crypto map MYMAP
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
! Traffice which going to be encrypted
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
end
Verification
HQ#show crypto map
Crypto Map "MYMAP" 1 ipsec-isakmp
Crypto Map "MYMAP" 1 ipsec-isakmp
Peer = 10.1.1.6
Extended IP access list 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Current peer: 10.1.1.6
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
BRANCH,
}
Interfaces using crypto map MYMAP:
FastEthernet0/0
Same command on Branch router as well.
Branch#show crypto map
Crypto Map "MYMAP" 1 ipsec-isakmp
Peer = 10.1.1.1
Extended IP access list 101
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 10.1.1.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
BRANCH,
}
Interfaces using crypto map MYMAP:
FastEthernet0/0
Now try to ping from HQ to Branch using their loopback IP which we simulated as LAN.
HQ#ping 192.168.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/84/104 ms
Lets try now from Branch
Branch#ping 192.168.1.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/72/84 ms
Final verification command which shows that indeed secure session has been established as with QM_IDLE state the same.
HQ#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.6 10.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
Branch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.1.6 10.1.1.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
To know how many packets are moving around securely execute following command
HQ#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 10.1.1.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8155622(135616034)
inbound esp sas:
spi: 0xD6EC03BE(3605791678)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4476276/3114)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8155622(135616034)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4476276/3114)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Branch#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MYMAP, local addr 10.1.1.6
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.6, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD6EC03BE(3605791678)
inbound esp sas:
spi: 0x8155622(135616034)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4444279/3095)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD6EC03BE(3605791678)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4444279/3095)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Branch#
eployments.
Comments
Post a Comment