vpn help

How to Set Up an IPSEC VPN Tunnel Between Cisco Routers

IPsec Virtual Private Network (VPN) tunnels facilitate the secure transmission of VPN help data, voice, and video between two different sites, such as offices and their branches. To create the VPN tunnel, users establish a connection over the public Internet, utilizing the IPsec tunnel mode between two dedicated routers. Each router serves as one end of the virtual tunnel through the public network.

In this mode, advanced encryption algorithms fully encrypt the original IP header, which contains the final destination of the packet along with the packet payload. As a result, data confidentiality remains intact, even when transferring information between geographically distant sites.

In this article, we will discuss how to set up and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the public network by using IP Security (IPsec) protocol.

What You Must Know When Creating IPSec VPN Tunnels While Configuring Cisco Routers

Building a secure Site-to-Site IPsec VPN tunnel involves two main protocols: the Internet Security Association and Key Management Protocol (ISAKMP) and IP Security (IPsec). These protocols play crucial roles in establishing and encrypting the VPN tunnel.

To understand ISAKMP and IPsec, it’s essential to recognize that ISAKMP, also known as Internet Key Exchange (IKE), serves as the negotiation protocol. This protocol enables two hosts to agree on how to establish an IP Security association. The negotiation unfolds in two distinct phases.

First, in Phase 1, the protocol establishes the initial tunnel, which later protects ISAKMP negotiation messages. Meanwhile, Phase 2 focuses on creating the tunnel that safeguards data. Once the tunnels are in place, IPsec takes charge of encrypting the data and provides authentication, encryption, and anti-replay services.

Requirements for IPsec VPN

To successfully create a Site-to-Site IPsec VPN tunnel, follow these steps:

  1. Configure ISAKMP (ISAKMP Phase 1)
  2. Configure IPsec (ISAKMP Phase 2, ACLs, Crypto MAP)

Consider a scenario where two branches of a small company, Site 1 and Site 2, connect to the Internet via static IP addresses assigned by their Internet Service Provider (ISP). vpn help  Site 1 operates on an internal network of 10.10.10.0/24, while Site 2 uses the network 20.20.20.0/24. Your goal is to securely connect both LAN networks, facilitating seamless communication.

Step 1: Configure ISAKMP (IKE) – Phase 1

Since IKE establishes a Security Association (SA) for IPsec, it must negotiate an SA relationship with its peers first. Begin by working on the Site 1 router. Use the following commands to configure the ISAKMP Phase 1 policy:

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400

Here’s what each command signifies:

  • 3DES: The encryption method used for Phase 1.
  • MD5: The hashing algorithm.
  • Pre-share: The pre-shared key used for authentication.
  • Group 2: The Diffie-Hellman group utilized.
  • 86400: The session key lifetime.

Next, define a pre-shared key for authentication with its peer (the R2 router) using this command:

R1(config)# crypto isakmp key firewalls address 1.1.1.2

Every time R1 attempts to connect to R2 via the VPN tunnel, it will use this key. R2’s pre-shared key is set to firewalls, with a public IP address of 1.1.1.2.

Step 2: Configure IPsec (Phase 2)

To create an extended ACL, input the following commands:

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Next, create the IPsec Transform (ISAKMP Phase 2 Policy) using this command:

R1(config)# crypto IPsec transform-set TS esp-3des esp-md5-hmac

Then, establish the Crypto Map with these commands:

 

R1(config)# crypto map CMAP 10 IPsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC

Finally, apply the Crypto Map to the ongoing Public Interface (Fast Ethernet 0/1) of the router:

R1(config)# interface FastEthernet0/1
R1(config-if)# crypto map CMAP

After entering these commands, the router will confirm that ISAKMP is activated. You have now completed the IPsec VPN configuration on the Site 1 router.

Site 2 Router Configuration

The settings for the Site 2 router mirror those of Site 1, differing only in the peer IP addresses and access lists. Use the following commands to configure the R2 router:

R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
R2(config)# crypto isakmp key firewalls address 1.1.1.1
R2(config)# ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-mac
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set TS
R2(config-crypto-map)# match address VPN-TRAFFICR2(config)# interface FastEthernet0/1
R2(config-if)# crypto map CMAP

Note: When configuring a Site-to-Site VPN help tunnel, it is critical to command the router not to perform NAT (deny NAT) on packets that need to be sent to the remote VPNs. Once the VPN configuration is completed and the VPN Tunnel is ready, you need to force one packet to traverse the VPN, and you can do this by pinging from one router to another.

AJ
Author: AJ

As a passionate blogger, I'm thrilled to share my expertise, insights, and enthusiasm with you. I believe that technical knowledge should be shared, not hoarded. That's why I take the time to craft detailed, well-researched content that's easy to follow, even for non-tech. I love hearing from you, answering your questions, and learning from your experiences. Your feedback helps me create content that's tailored to your needs and interests

About AJ

As a passionate blogger, I'm thrilled to share my expertise, insights, and enthusiasm with you. I believe that technical knowledge should be shared, not hoarded. That's why I take the time to craft detailed, well-researched content that's easy to follow, even for non-tech. I love hearing from you, answering your questions, and learning from your experiences. Your feedback helps me create content that's tailored to your needs and interests

Leave a Reply

Your email address will not be published. Required fields are marked *