Publish Date: July 17, 2015

Site to Site IPsec VPN Tunnel

A virtual private network (VPN) is a technology that creates an encrypted connection between two or more devices or Local Area Networks by using public networks such as internet.

There are mainly two types of VPN connections:

  1. Remote Access VPN: This is user-to-LAN VPN connection used when employees of a company who are in remote locations and need to connect to the company’s private network.
  2. Site-to-Site VPN: This VPN allows offices in multiple remote locations to establish secure connection to each other over a public network such as the Internet. Site-to-site VPN extends the company’s network, making computer resources from one location available to the people at other locations.

There may be other types of VPN connections as well but in this section, I will discuss  Site-to-Site VPN. Being a Networking professional, you should know how to configure site to site VPN.

We will configure a site-to-site VPN tunnel between two Cisco routers with static public IP addresses. The traffic betwwen them is protected with IPsec (Internet Protocol Security). So, both of the remote offices can communicate using internet via secure tunnel.

Before going into configuration, I would like to discuss about ISAKMP (Internet Security Association and Key Management Protocol). Both ISAKMP and IPsec are considered as the building blocks of VPN tunnel. ISAKMP protocol is a part of IKE (Internet Key Exchange) which is used to establish framework authentication and key exchange. ISAKMP negotiation is done in two phases: Phase 1 and Phase 2.

In Phase 1, a tunnel is created to protect ISAKMP negotiation messages. In Phase 2, a tunnel is created to protect data. Then IPSec encrypts the data using encryption algorithms.

Consider the following network diagram. We have two offices at different locations connected to internet by router Site-1 and Site-2.

Site-to-Site VPN Tunnel
Site-to-Site VPN Tunnel

Site-1 is connected to a LAN 192.168.10.0/24 and Site-2 is connected to another LAN 192.168.20.0/24. You have to connect two offices securely to allow the full communication between LANs.

Firstly, I will configure both Site-1 and Site-2 routers so that both can ping each other. We are assuming that they are connected to internet with static public IPs. So, they must reach each other without any additional configuration.

On Site-1 Router:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname Site-1
Site-1(config)#int fa0/0
Site-1(config-if)#ip address 192.168.10.1 255.255.255.0
Site-1(config-if)#no shutdown
Site-1(config-if)#int fa0/1
Site-1(config-if)#ip add 202.164.42.1 255.255.255.252
Site-1(config-if)#no shutdown
Site-1(config-if)#end
Site-1#

On Site-2 Router:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname Site-2
Site-2(config)#int fa0/0
Site-2(config-if)#ip add 192.168.20.1 255.255.255.0
Site-2(config-if)#no shut
Site-2(config-if)#int fa0/1
Site-2(config-if)#ip add 202.164.42.2 255.255.255.252
Site-2(config-if)#no shut
Site-2(config-if)#^Z
Site-2#

Now, both router should ping each other.

Site-1#ping 202.164.42.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.164.42.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/58/68 ms
Site-1#

Site-1 Router Configuration

Configuring ISAKMP (Phase-1)

I am going to create  ISAKMP Phase-1 policy on Site-1 router.

Site-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Site-1(config)#crypto isakmp policy 1
Site-1(config-isakmp)#encryption ?
  3des  Three key triple DES
  aes   AES - Advanced Encryption Standard.
  des   DES - Data Encryption Standard (56 bit keys).

Site-1(config-isakmp)#encryption 3des
Site-1(config-isakmp)#hash ?
  md5  Message Digest 5
  sha  Secure Hash Standard

Site-1(config-isakmp)#hash md5
Site-1(config-isakmp)#group 2
Site-1(config-isakmp)#lifetime ?
  <60-86400>  lifetime in seconds

Site-1(config-isakmp)#lifetime 86400
Site-1(config-isakmp)#authentication pre-share
Site-1(config-isakmp)#exit

In above configuration,

encryption 3des – The encryption method to be used for Phase 1.
hash md5 – The hashing algorithm used is message digest 5.
group 2 – This is Diffie-Hellman group to be used.
lifetime 86400 – This is session lifetime expressed in seconds. 86400 is the default value.
authentication pre-share – To use preshared key (password) for authentication.

You need to create multiple ISAKMP policies as we have create policy 1 above, if you are connecting to multiple sites from this router.

Now we have to specify the pre-shared key (password) used for authentication.

Site-1#conf t
Site-1(config)#crypto isakmp key Abc@123 address 202.164.42.2
Site-1(config)#

The password (Abc@123) must match on both routers for successful negotiation and the address given here is the public IP address of Site-2 router.

Next, we have to configure IPsec. I will create an extended access-list so that only the interesting traffic (traffic destined towards Site-2 LAN) should be sent through VPN tunnel.

Site-1(config)#ip access-list extended VPN-Traffic
Site-1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Site-1(config-ext-nacl)#end
Site-1#

VPN-Traffic is our named ACL which will categorize traffic sourced from 192.168.10.0 /24 subnet and destined towards 192.168.20.0 /24 subnet. Only this traffic should be considered as interseting traffic which will be sent over VPN tunnel.

Configuring ISAKMP (Phase-2)

Here we will create IPsec transform set which will be used to encrypt the data flowing through tunnel. Then we will create a crypto map which will join IPsec and ISAKMP policy together.

Site-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Site-1(config)#crypto ipsec transform-set SET1 ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth

Site-1(config)#crypto ipsec transform-set SET1 esp-3des ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

Site-1(config)#crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
Site-1(cfg-crypto-trans)#exit
Site-1(config)#crypto map MAP ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

Site-1(config)#crypto map MAP 10 ?
  ipsec-isakmp  IPSEC w/ISAKMP
  ipsec-manual  IPSEC w/manual keying
  <cr>

Site-1(config)#crypto map MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
Site-1(config-crypto-map)#set peer 202.164.42.2
Site-1(config-crypto-map)#set ?
  identity              Identity restriction.
  ip                    Interface Internet Protocol config commands
  isakmp-profile        Specify isakmp Profile
  nat                   Set NAT translation
  peer                  Allowed Encryption/Decryption peer.
  pfs                   Specify pfs settings
  security-association  Security association parameters
  transform-set         Specify list of transform sets in priority order

Site-1(config-crypto-map)#set transform-set SET1
Site-1(config-crypto-map)#match address VPN-Traffic
Site-1(config-crypto-map)#end
Site-1#

Under crypto map configuration, I have used set peer 202.164.42.2 command to specify the destination (Site-2) router’s public IP address and set transform-set SET1 command to specify the transform-set to be used. The match address VPN-Traffic command is used to specify the name of extended ACL created to identify the interesting traffic.

Now, it is time to apply the crypto-map to outside interface (which is connected to ISP) which is interface fastEthernet0/1 in our network. You can apply only one crypto-map per interface.

Site-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Site-1(config)#int fa0/1
Site-1(config-if)#crypto map MAP
*Jul 17 13:33:48.571: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Site-1(config-if)#end
Site-1#

Notice that once crypto-map is applied on interface, you will receive a message ISAKMP is ON”.

Network Address Translation (NAT) Configuration

Network Address Translation (NAT) is needed to be configured on Site-1 as well Site-2 router to provide Internet access to PCs on different portions of LAN. This can be done by using another extended ACL on the router and this ACL will prevent the interesting traffic not to be translated, means the traffic sourced from 192.168.10.0/24 subnet and destined towards 192.168.20.0/24 subnet will not undergo NAT operation. I’ve already said that NAT is required to allow internet access on PCs.

Site-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Site-1(config)#ip access-list extended NO-NAT
Site-1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Site-1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any
Site-1(config-ext-nacl)#exit
Site-1(config)#ip nat inside source list NO-NAT interface fastEthernet 0/1 overload
Site-1(config)#int fa0/0
Site-1(config-if)#ip nat inside
Site-1(config-if)#int fa0/1
Site-1(config-if)#ip nat outside
Site-1(config-if)#^Z
Site-1#

In above steps, I have  configured and enabled Port Address Translation (NAT overload). If you have no idea about NAT, you can take a look at this section.

SIte-1 is now configured. Now I will go to Site-2 router and do the same configuration. The only difference will be public IP address of Site-1 router. Also the source and destination in ACLs will be flipped.

Site-2 Router Configuration

I have given the complete configuration of Site-2 router below:

Site-2#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Site-2(config)#crypto isakmp policy 1
Site-2(config-isakmp)#hash md5
Site-2(config-isakmp)#encryption 3des
Site-2(config-isakmp)#group 2
Site-2(config-isakmp)#lifetime 86400
Site-2(config-isakmp)#authentication pre-share
Site-2(config-isakmp)#crypto isakmp key Abc@123 address 202.164.42.1
Site-2(config)#ip access-list extended VPN-Traffic
Site-2(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Site-2(config-ext-nacl)#
Site-2(config-ext-nacl)#crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
Site-2(cfg-crypto-trans)#crypto map MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
Site-2(config-crypto-map)#set peer 202.164.42.1
Site-2(config-crypto-map)#set transform-set SET1
Site-2(config-crypto-map)#match address VPN-Traffic
Site-2(config-crypto-map)#int fa0/1
Site-2(config-if)#crypto map MAP
*Jul 17 14:01:57.707: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Site-2(config-if)#ip access-list extended NO-NAT
Site-2(config-ext-nacl)#deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Site-2(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 any
Site-2(config-ext-nacl)#exit
Site-2(config)#ip nat inside source list NO-NAT interface fastEthernet 0/1 overload
Site-2(config)#int fa0/0
Site-2(config-if)#ip nat inside
Site-2(config-if)#int fa0/1
Site-2(config-if)#ip nat outside
Site-2(config-if)#end
Site-2#

VPN tunnel is now configured.

Verify the IPsec VPN Tunnel

You can view the status of security association (SA) using show crypto isakmp sa command and complete IPsec policy details using show crypto ipsec sa command.

Site-1#show crypto isakmp sa
dst             src             state          conn-id slot status
202.164.42.2   202.164.42.1   QM_IDLE              1    0 ACTIVE

Site-1#

The state “QM_IDLE” and status “ACTIVE” means tunnel is up and working fine. If you see “MM_NO_STATE” or anything else under state column, it means there is some issue. You can then use debug ip packet command to check what’s going on the router.

Site-1#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: MAP, local addr 202.164.42.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   current_peer 202.164.42.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 202.164.42.1, remote crypto endpt.: 202.164.42.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xF1C7B7E7(4056397799)

     inbound esp sas:
      spi: 0x812DFD73(2167274867)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: MAP
        sa timing: remaining key lifetime (k/sec): (4454151/3381)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF1C7B7E7(4056397799)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: MAP
        sa timing: remaining key lifetime (k/sec): (4454151/3378)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
Site-1#

In above output, you can see the complete details of IPsec tunnel.

Now, PC1 and PC2 reach each other which are located on different LAN segments in remote location.

PC1#ping 192.168.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
.!!!!
Success rate is 90 percent (4/5), round-trip min/avg/max = 1/2/4 ms
PC1#

This concludes our Site-to-Site IPsec VPN Tunnel section.

Back



Microsoft Certified | Cisco Certified