Static IPSec Tunnel VPN Configuration between Cisco Routers

Introduction This lab will show you how to configure a Static IPSec VPN tunnel between two Cisco IOS routers. The following topology showing that

EIGRP Routing over DMVPN IPSec Tunnels

Introduction

This lab will show you how to configure a Static IPSec VPN tunnel between two Cisco IOS routers.

The following topology showing that we have two sites located in different location, both connected to their ISP. The company wants to make sure their data transfer between the two sites are secure. A GRE (Generic Routing Encapsulation) tunnel is used when sending data between networks located in different location, a GRE tunnel is a virtual tunnel. The problem is that the packets sent over the GRE tunnel is not encrypted, so is not secure. To secure the tunnel IPSec is used.

Before we start, follow the topology above to configure their physical IP addresses, loopback interfaces and GRE tunnel addresses, also make sure that Site1 and Site2 has IP connection. when you try to do this lab on your GNS3, just ignore the ISP in the middle, connect your routers directly. I believe most of you able to configure routers physical IP addresses and loopback interfaces, and I will show you how to configure a GRE tunnel.

Site1 Configurations

Step 1 – GRE tunnel configuration

Site1(config)#interface tunnel 1

Site1(config-if)#ip add 20.20.20.1 255.255.255.240
Site1(config-if)#tunnel source 10.10.10.1
<source router out going physical interface ip address>
Site1 (config-if)#tunnel destination 10.10.10.2 <destination router in coming physical interface ip address>
Site1(config)#ip route 2.2.2.2 255.255.255.255 20.20.20.2 <Site2 tunnel 1 interface ip address>

This will make sure that every time when network 1.1.1.1 wants to send packets to network 2.2.2.2, the packets will go through the GRE tunnel, to verify this, do a trace route see is the packets go through the tunnel interface.

Site1#traceroute 2.2.2.2 source 1.1.1.1


As you can see, the packets is going through the tunnel 1 interface.

Step 2 – IKE Phase 1

crypto keyring vpnkey

pre-shared-key address 10.10.10.2 255.255.255.240 key cisco

Define crypto keyring name. set pre-share-key “cisco”, so every time when Site1 want to establish a VPN connection with network 10.10.10.2 255.255.255.240, pre-share-key “cisco” will be used. Please note 10.10.10.2 is the physical address not the tunnel.


crypto isakmp policy 1

encr aes
authentication pre-share
group 2

ISAKMP policy used in phase 1 negotiations, which specifies the encryption and authentication method. If you have multiple ISAKMP polices on the same router, then multiple ISAKMP policies need to configure, this first match ISAKMP policy will used.

The default crypto ISAKMP policy can be find by “show crypto isakmp policy

Global IKE policy

Default protection suite
encryption algorithm:   DES – Data Encryption Standard (56 bit keys).
hash algorithm:         Secure Hash Standard
authentication method:  Rivest-Shamir-Adleman Signature
Diffie-Hellman group:   #1 (768 bit)
lifetime:               86400 seconds, no volume limit

As you can see, the default policy isn’t secure enough with current standard, a new policy needs to be set.


crypto isakmp profile vpnisaprofile
keyring vpnkey
match identity address 10.10.10.0 255.255.255.240
local-address e1/1


Defines crypto ISAKMP profile name, assign keyring and configure “match identity”. Please note the IP address here refers physical IP.

“local-address e1/1” limits the scope of an ISAKMP profile configuration to a local termination address or interface.

To verify this

Step 3 – IKE Phase 2 

crypto ipsec transform-set vpntrans esp-aes esp-sha-hmac

Transform-set provide us with our encryption options and hash algorithm for phase 2 negotiations. Within the transform-set, we can specify the encapsulation mode (tunnel or transport), default mode is tunnel mode. Like the ISAKMP policy we can have multiple transform-sets with completely different parameters in each one.


crypto ipsec profile vpnsecprofile
set transform-set vpntrans
set isakmp-profile vpnisaprofile

Define crypto IPSec profile name, including transform-set and isakmp-profile, linking IKE Phase 1 with IKE Phase 2.

Step 4 – Apply IPSec profile to tunnel interface


interface Tunnel 1
tunnel protection ipsec profile vpnsecprofile

Site2 Configurations

The configuration on the Site2 is identical, with the only difference being the IP Addresses.

Step 1 – GRE tunnel configuration

Site1(config)#int tunnel 1
Site1(config-if)#ip add 20.20.20.2 255.255.255.240
Site1(config-if)#tunnel source 10.10.10.2 <source router out going physical interface>
Site1 (config-if)#tunnel destination 10.10.10.1 <destination router in coming physical interface>
Site1(config)#ip route 1.1.1.1 255.255.255.255 20.20.20.1 <Site1 tunnel 1 interface >

Step 2 – IKE Phase 1

crypto keyring vpnkey
pre-shared-key address 10.10.10.1 255.255.255.240 key cisco

crypto isakmp policy 1
encr aes
authentication pre-share
group 2


crypto isakmp profile vpnisaprofile
keyring vpnkey
match identity address 10.10.10.0 255.255.255.240
local-address e1/1

Step 3 – IKE Phase 2 

crypto ipsec transform-set vpntrans esp-aes esp-sha-hmac


crypto ipsec profile vpnsecprofile
set transform-set vpntrans
set isakmp-profile vpnisaprofile

Step 4 – Apply IPSec profile to tunnel interface

interface Tunnel 1
ip address 20.20.20.2 255.255.255.240
tunnel source 10.10.10.2
tunnel destination 10.10.10.1
tunnel protection ipsec profile vpnsecprofile

To verify your configuration, the following show command can be use

show crypto session

show crypto isakmp policy

show crypto isakmp profile

show crypto ipsec profile

show crypto isakmp sa

show crypto ipsec sa

The following are some of my show command results

If you do find your Session status is not UP-ACTIVE, please do a ping from Site1 loopback interface to Site2 loopback interface, then do your show crypto session command again.


Show run on Site1
crypto keyring vpnkey
pre-shared-key address 10.10.10.2 255.255.255.240 key cisco
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp profile vpnisaprofile
keyring vpnkey
match identity address 10.10.10.0 255.255.255.240
local-address Ethernet1/1
!
!
crypto ipsec transform-set vpntrans esp-aes esp-sha-hmac
!
crypto ipsec profile vpnsecprofile
set transform-set vpntrans
set isakmp-profile vpnisaprofile
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
ip address 20.20.20.1 255.255.255.240
tunnel source 10.10.10.1
tunnel destination 10.10.10.2
tunnel protection ipsec profile vpnsecprofile
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
ip address 10.10.10.1 255.255.255.240
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
ip route 2.2.2.2 255.255.255.255 20.20.20.2
no ip http server
no ip http secure-server
!

Conclusion

This lab showing how to configure a static IPSec tunnel, and understand how IPSec VPN tunnel work. But there are limitations with static IPSec VPN  tunnel.

For example, when there are only two networks need to connect to each other over an IPSec VPN tunnel is easy to setup and modify, but when you want to add a new networks to it, reconfiguration is needed on every router, so DMVPN overcome this limitation.

COMMENTS

WORDPRESS: 1
  • comment-avatar

    Very useful! Thanks

  • DISQUS: 0