1. Overview
In the previous article we had implemented IPSec VPN site-to-site between head office and branch office. Normally as the business grow, there are more branch offices to be created. So, we need to configure another IPSec VPN site-to-site between head office and the new created branch office.
In this article will show how to add more peer to exiting IPSec site-to-site tunnel in head office with the configuration of IPSec site-to-site on branch office on Cisco router.
2. Prerequisites
In this document, it is assumed that:
a. You already have Cisco router on GNS3 VM up and running. In case that you don’t, please follow this link. Installing GNS3 VM on VMware Workstation
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
c. You are already have IPSec VPN site-to-site tunnel currently up and running. If you don’t, you may would like to read the previous article about Configuring Site-to-Site IPSec VPN Between Cisco Routers.
3. Network Diagram and IP Configuration
The following is the network diagram after adding one more new branch office.
Cisco router that locates in new branch office name is “BRRT02”. The following is the IP configuration for each relevant device.
On PC3
PC3> ip 192.168.30.10/24 192.168.30.1
On BRRT02
#int f0/0 no sh ip add 192.168.30.1 255.255.255.0 #int f0/1 no sh ip add 102.168.100.2 255.255.255.252
On Internet router
#int f1/0 ip add 102.168.100.1 255.255.255.252
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site between head office and new branch office will be used to in the configuration.
| Firewall Type | Headquarter | New Branch Office |
| Manufacturer | Cisco | Cisco |
| Model | Router | Router |
| Version | 12.4(15)T13 | 12.4(15)T13 |
| Configuration | Headquarter | New Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | 3DES | 3DES | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@HQ2BR2 | vpn@HQ2BR2 | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | 3DES | 3DES | ||
| IPSEC Hash Algorithm | MD5 | MD5 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ No | Group □ 2(default) □ 5 □ 7 | PFS □ No | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Headquarter | New Branch Office |
| Peer IP address | 203.200.200.2 | 102.168.100.2 |
| Local IP address | 172.16.10.10/32 | 192.168.30.10/32 |
5. Configuration
5.1 Configure Default Route
Configure default router on BRRT02 as the following.
#ip route 0.0.0.0 0.0.0.0 102.168.100.1
Now BRRT02 should be able to ping to public IP address of HQRT02 locates in head office.
BRRT02#ping 203.200.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 203.200.200.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/30/36 ms BRRT02#
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. We will use the existing ISAMKP policy on HQRT01 in headquarter router.
This ISAMKP policy was configured when we set up IPSec VPN site-to-site to our first branch office.
HQRT01#sh run | b policy crypto isakmp policy 1 encr 3des authentication pre-share group 2
On BRRT02, the new branch office router, we need to apply following commands the to create ISAMKP policy.
#crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. On HQRT01 already have a transform set name “HQ-TS01-3DES-MD5” from the previous configuration, so let just use this transform set for this new branch IPSec VPN site-to-site.
HQRT01#sh run | i transform-set crypto ipsec transform-set HQ-TS01-3DES-MD5 esp-3des esp-md5-hmac
On BRRT02 apply the follow configuration to create a transform set name “BR2-TS01-3DES-MD5”.
#crypto ipsec transform-set BR2-TS01-3DES-MD5 esp-3des esp-md5-hmac
5.4 Create ACL For VPN Tunnel
Create the following ACL to much traffic between head office and new branch office.
On HQRT01
#ip access-list extended ACL-HQ2BR2 permit ip host 172.16.10.10 host 192.168.30.10
On BRRT02
#ip access-list extended ACL-BR22HQ permit ip host 192.168.30.10 host 172.16.10.10
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
Apply the following tunnel group configuration on HQRT01.
#crypto isakmp key 0 vpn@HQ2BR2 address 102.168.100.2
Apply the following tunnel group configuration on BRRT02.
#crypto isakmp key 0 vpn@HQ2BR2 address 203.200.200.2
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec transform set, and access list configured previously for this new VPN peer and apply it to the interface that is connected to the internet.
As on HQRT01 already had an IPSec VPN tunnel in place and already applied to interface f0/1 that is connected to the internet, now we just need to add more peer by increasing the sequence number as the following.
#crypto map HQ-VPN 2 ipsec-isakmp set peer 102.168.100.2 set transform-set HQ-TS01-3DES-MD5 match address ACL-HQ2BR2
The following are the commands to be executed on BRRT02.
#crypto map BR2-VPN 1 ipsec-isakmp set peer 203.200.200.2 set transform-set BR2-TS01-3DES-MD5 match address ACL-BR22HQ #int f0/1 crypto map BR2-VPN
5.7 IPSec VPN With Dynamic NAT on Headquarter Cisco Router
Normally, Dynamic NAT is configured on Cisco router to provide internet access to all computers within Local Area Network (LAN). In the previous configuration, we have configure Dynamic NAT for allow internet access in headquarter local network. Also, we had configured headquarter router not to NAT the IPSec VPN traffic to bring up the IPSec VPN tunnel with the deny statement in top of the NAT ACL.
HQRT01#sh ip access-lists ACL-DNAT Extended IP access list ACL-DNAT 10 deny ip host 172.16.10.10 host 192.168.20.10 20 permit ip 172.16.10.0 0.0.0.255 any HQRT01#
We have to do the same the new tunnel that connect to the new branch office. With following commands, the headquarter router will not NAT the IPSec VPN traffic to the new branch office.
#ip access-list extended ACL-DNAT 8 deny ip host 172.16.10.10 host 192.168.30.10
5.8 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC3 in new branch office.
PC1> ping 192.168.30.10 84 bytes from 192.168.30.10 icmp_seq=1 ttl=62 time=65.932 ms 84 bytes from 192.168.30.10 icmp_seq=2 ttl=62 time=50.905 ms 84 bytes from 192.168.30.10 icmp_seq=3 ttl=62 time=49.189 ms 84 bytes from 192.168.30.10 icmp_seq=4 ttl=62 time=42.895 ms 84 bytes from 192.168.30.10 icmp_seq=5 ttl=62 time=39.823 ms PC1>
As we are successful to ping IP of host in the local network of the new branch office, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQRT01.
HQRT01#sh crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication F - IKE Fragmentation Interface: FastEthernet0/1 Uptime: 00:00:18 Session status: UP-ACTIVE Peer: 117.119.10.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 117.119.10.2 Desc: (none) IKE SA: local 203.200.200.2/500 remote 117.119.10.2/500 Active Capabilities:(none) connid:1002 lifetime:23:58:57 IPSEC FLOW: permit ip host 172.16.10.10 host 192.168.20.10 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4593076/86381 Outbound: #pkts enc'ed 9 drop 1 life (KB/Sec) 4593076/86381 Interface: FastEthernet0/1 Uptime: 00:03:41 Session status: UP-ACTIVE Peer: 102.168.100.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 102.168.100.2 Desc: (none) IKE SA: local 203.200.200.2/500 remote 102.168.100.2/500 Active Capabilities:(none) connid:1001 lifetime:23:56:18 IPSEC FLOW: permit ip host 172.16.10.10 host 192.168.30.10 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4514876/3378 Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4514876/3378 HQRT01#
As we can see in the above result, peer IP 102.168.100.2 which is the new branch office is up and running now.
We can verify on BRRT02 as the follow.
BRRT02#sh crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication F - IKE Fragmentation Interface: FastEthernet0/1 Uptime: 00:03:29 Session status: UP-ACTIVE Peer: 203.200.200.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 203.200.200.2 Desc: (none) IKE SA: local 102.168.100.2/500 remote 203.200.200.2/500 Active Capabilities:(none) connid:1001 lifetime:23:56:30 IPSEC FLOW: permit ip host 192.168.30.10 host 172.16.10.10 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4456500/3390 Outbound: #pkts enc'ed 10 drop 5 life (KB/Sec) 4456500/3390 BRRT02#
5.9 IPSec VPN With Dynamic NAT on New Branch Office Cisco Router
In case that Dynamic NAT is configured on new branch office Cisco router to provide internet access to all computers within Local Area Network (LAN).
On BRRT02
#int f0/0 ip nat inside #int f0/1 ip nat outside #ip access-list extended ACL-DNAT permit ip 192.168.30.0 0.0.0.255 any #ip nat inside source list ACL-DNAT interface f0/1 overload
We need to configure that new branch office router not to NAT the IPSec VPN traffic otherwise VPN tunnel would not be up. This could be done with the deny statement in top of the NAT ACL.
#ip access-list extended ACL-DNAT 9 deny ip host 192.168.30.10 host 172.16.10.10
6. Conclusion
Now you should know about how to and add more peer to existing IPSec VPN site-to-site tunnel on Cisco router. To improve your confidence, it is recommended that you practice it on GNS3 MV. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
