IPsec Virtual Private Network (VPN) tunnels facilitate the secure transmission of data, voice, and video between two different sites such as offices and their branches. The VPN tunnel is created over the Internet public network, and the IPsec tunnel mode is used between two dedicated routers, wherein each router acts as one end of a virtual tunnel through a public network.
In this mode, the original IP header that contains the final destination of the packet is fully encrypted using advanced encryption algorithms for security purposes in addition to the packet payload. Thus, the confidentiality of data remains protected even when data is being transferred between two geographically distant sites.
In this article, we will discuss how to set up and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the public network by using IP Security (IPsec) protocol.
What You Must Know When Creating IPSec VPN Tunnels While Configuring Cisco Routers
• Internet Security Association and Key Management Protocol (ISAKMP) and IP Security (IPsec) are important for building and encrypting the VPN tunnel.
• Also called Internet Key Exchange (IKE), ISAKMP acts as the negotiation protocol that allows two hosts to agree on how to build an IP Security association. This negotiation includes two phases.
• While Phase 1 creates the first tunnel that later protects ISAKMP negotiation messages, Phase 2 creates the tunnel that protects the data.
• Then, IPsec is used to encrypt the data and provides authentication, encryption, and anti-replay services.
What are the requirements of IPsec VPN Requirements?
To create the Site-to-Site IPsec VPN Tunnel, you need to follow these two steps:
• Configure ISAKMP (ISAKMP Phase 1)
• Configure IPsec (ISAKMP Phase 2, ACLs, Crypto MAP)
Let’s assume that there are two branches of a small company: Site 1 and Site 2. The routers of both branches connect to the Internet and have a static IP Address assigned by their Internet Service Provider (ISP).
While Site 1 is configured with an internal network of 10.10.10.0/24, Site 2 is configured with a network of 20.20.20.0/24. Your goal is to securely connect both LAN networks and facilitate full communication between them seamlessly.
Step 1: Configure ISAKMP (IKE) (Phase 1)
Since IKE exists only to establish a Security Association (SA) for IPsec, it first needs to negotiate an SA relationship with its peers. To begin, you should start working on the Site 1 Router.
To configure an ISAKMP Phase 1 policy, you will need the following commands:
• R1(config)# crypto isakmp policy 1
• R1(config-isakmp)# encr 3des
• R1(config-isakmp)# hash md5
• R1(config-isakmp)# authentication pre-share
• R1(config-isakmp)# group 2
• R1(config-isakmp)# lifetime 86400
Here,
3DES – the encryption method used for Phase 1
MD5 – the hashing algorithm
Pre-share – Pre-shared key as the authentication method
Group 2 – Diffie-Hellman group to be used
86400 – Session key lifetime
To define a pre-shared key for authentication with its peer (R2 router), use the following command:
• R1(config)# crypto isakmp key firewalls address 1.1.1.2
The R2’s pre-shared key is set to firewallEx and its public IP address is 1.1.1.2. Every time R1 tries to connect a VPN tunnel with R2, this key will be used.
Step 2: Configure IPsec (Phase 2)
To create extended ACL, use:
• R1(config)# ip access-list extended VPN-TRAFFIC
• R1(config-ext.-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
To create IPsec Transform (ISAKMP Phase 2 Policy) (this policy is named as TS), use:
• R1(config)# crypto IPsec transform-set TS esp-3des esp-md5-mac
To create Crypto Map, use:
• R1(config)# crypto map CMAP 10 IPSec-isakmp
• R1(config-crypto-map)# set peer 1.1.1.2
• R1(config-crypto-map)# set transform-set TS
• R1(config-crypto-map)# match address VPN-TRAFFIC
To apply Crypto Map to the ongoing Public Interface (Fast Ethernet 0/1) of the router, use:
• R1(config)# interface FastEthernet0/1
• R1(config-if)# crypto map CMAP
Note that only one crypto map can be assigned to an interface. After this, you will receive a message from the router that confirms that the isakmp is on. By now, you have completed the IPsec VPN configuration on the Site 1 router.
Now, you will do the VPN configuration of the Site 2 router. The settings for Router 2 are the same with the only difference being the peer IP addresses and access lists.
• R2(config)# crypto isakmp policy 1
• R2(config-isakmp)# encr 3des
• R2(config-isakmp)# hash md5
• R2(config-isakmp)# authentication pre-share
• R2(config-isakmp)# group 2
• R2(config-isakmp)# lifetime 86400
• R2(config)# crypto isakmp key firewallEx address 1.1.1.1
• R2(config)# ip access-list extended VPN-TRAFFIC
• R2(config-ext.-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
• R2(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac
• R2(config)# crypto map CMAP 10 IPsec-isakmp
• R2(config-crypto-map)# set peer 1.1.1.1
• R2(config-crypto-map)# set transform-set TS
• R2(config-crypto-map)# match address VPN-TRAFFIC
• R2(config)# interface FastEthernet0/1
• R2(config- if)# crypto map CMAP
Note: When configuring a Site-to-Site VPN tunnel, it is critical to command the router not to perform NAT (deny NAT) on packets that need to be sent to the remote VPNs. Once the VPN configuration is completed and the VPN Tunnel is ready, you need to force one packet to traverse the VPN, and you can do this by pinging from one router to another.