The price of Cisco ASA firewall appliance is very expensive comparing to Cisco router. Due to budget limitation, some companies would prefer to use Cisco router as a VPN gateway instead of Cisco ASA firewall appliance.
In this article will demonstrate how to configure site-to-site IPSec VPN between two Cisco routers.
In this tutorial, it is assumed that:
a. You already have Cisco router on GNS3 VM up and running. In case that you don’t, please follow this link. Installing GNS3 VM on VMware Workstation
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
3. Lab Scenario Set up
Below is the network diagram of GNS3 Lab that will be used to demonstrate configuring IPSec VPN site-to-site between two Cisco routers.
In headquarter there is an Cisco router with host name of HQRT01 and there is also a Cisco router locates in branch office with host name BRRT01. There is one router act as internet. The following is the IP configuration of each device.
PC1> ip 172.16.10.10/24 172.16.10.1
#int f0/0 no sh ip add 172.16.10.1 255.255.255.0 #int f0/1 no sh ip add 22.214.171.124 255.255.255.252
On Internet router
#int f0/0 no sh ip add 126.96.36.199 255.255.255.252 #int f0/1 no sh ip add 188.8.131.52 255.255.255.252
#int f0/0 no sh ip add 192.168.20.1 255.255.255.0 #int f0/1 no sh ip add 184.108.40.206 255.255.255.252
PC1> ip 192.168.20.10/24 192.168.20.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
|Firewall Type||Headquarter||Branch Office|
|IKE Encryption Algorithm||3DES||3DES|
|IKE Hash Algorithm||SHA-1||SHA-1|
|IKE Security Lifetime||86400||86400|
|IPSEC security protocol||ESP||ESP|
|IPSEC Encryption Algorithm||3DES||3DES|
|IPSEC Hash Algorithm||MD5||MD5|
|IPSEC Security Lifetime (Optional)||□ 14400 □ 28800 (default) □ 86400 □ Other:……….||□ 14400 □ 28800 (default) □ 86400 □ Other: ……….|
|Perfect Forward Secrecy(PFS) (Optional)||PFS □ No □Yes||Group □ 2(default) □ 5 □ 7||PFS □ No □ Yes||Group □ 2 (default) □ 5 □ 7|
|IP Addressing||Headquarter||Branch Office|
|Peer IP address||220.127.116.11||18.104.22.168|
|Local IP address||172.16.10.10/32||192.168.20.10/32|
5.1 Configure Default Route
Apply the the following default router configuration.
#ip route 0.0.0.0 0.0.0.0 22.214.171.124
#ip route 0.0.0.0 0.0.0.0 126.96.36.199
After apply default route configuration, now both HQRT01 and BRRT01 should be able to ping their public IP each other.
HQRT01#ping 188.8.131.52 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 184.108.40.206, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/40/44 ms HQRT01#
BRRT01#ping 220.127.116.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms BRRT01#
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both On HQRT01 and BRRT01.
#crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. The follow are the commands to be executed on HQRT01 to create a transform set name “HQ-TS01-3DES-MD5”.
#crypto ipsec transform-set HQ-TS01-3DES-MD5 esp-3des esp-md5-hmac
Apply the follow configuration on BRRT01 to create a transform set name “BR-TS01-3DES-MD5”
#crypto ipsec transform-set BR-TS01-3DES-MD5 esp-3des esp-md5-hmac
5.4 Create ACL For VPN Tunnel
To match the traffic for IPSec VPN tunnel, an ACL must be created.
Create the following ACL on HQRT01.
#ip access-list extended ACL-HQ2BR permit ip host 172.16.10.10 host 192.168.20.10
Create the following ACL on BRRT01.
#ip access-list extended ACL-BR2HQ permit ip host 22.214.171.124 host 172.16.10.10
5.5 Create VPN Tunnel Group
Create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
#crypto isakmp key 0 vpn@HQ2BR address 126.96.36.199
#crypto isakmp key 0 vpn@HQ2BR address 188.8.131.52
5.6 Configure and Apply Crypto Map
Below is the final step that we need to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.
#crypto map HQ-VPN 1 ipsec-isakmp set peer 184.108.40.206 set transform-set HQ-TS01-3DES-MD5 match address ACL-HQ2BR #int f0/1 crypto map HQ-VPN
#crypto map BR-VPN 1 ipsec-isakmp set peer 220.127.116.11 set transform-set BR-TS01-3DES-MD5 match address ACL-BR2HQ #int f0/1 crypto map BR-VPN
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in headquarter to PC2 in branch office.
PC1> ping 192.168.20.10 192.168.20.10 icmp_seq=1 timeout 192.168.20.10 icmp_seq=2 timeout 192.168.20.10 icmp_seq=3 timeout 84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=35.695 ms 84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=38.991 ms PC1>
We got the successful result to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQRT01.
HQRT01#sh crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication F - IKE Fragmentation Interface: FastEthernet0/1 Uptime: 00:04:52 Session status: UP-ACTIVE Peer: 18.104.22.168 port 500 fvrf: (none) ivrf: (none) Phase1_id: 22.214.171.124 Desc: (none) IKE SA: local 126.96.36.199/500 remote 188.8.131.52/500 Active Capabilities:(none) connid:1001 lifetime:23:47:40 IPSEC FLOW: permit ip host 172.16.10.10 host 192.168.20.10 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4607176/3307 Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4607176/3307 HQRT01#
5.8 IPSec Security Lifetime and PFS (Optional)
It is not required to set IPSec security lifetime and PFS. Without it the VPN tunnel still up and running. If it is needed, the following are the commands to configure it.
#crypto map HQ-VPN 1 ipsec-isakmp set pfs set security-association lifetime seconds 86400
#crypto map BR-VPN 1 ipsec-isakmp set pfs set security-association lifetime seconds 86400
5.9 IPSec VPN With Dynamic NAT on Cisco Router
Normally, Dynamic NAT is configured on Cisco router to provide internet access to all computers within Local Area Network (LAN).
#int f0/0 ip nat inside #int f0/1 ip nat outside #ip access-list extended ACL-DNAT permit ip 172.16.10.0 0.0.0.255 any #ip nat inside source list ACL-DNAT interface f0/1 overload
#int f0/0 ip nat inside #int f0/1 ip nat outside #ip access-list extended ACL-DNAT permit ip 192.168.20.0 0.0.0.255 any #ip nat inside source list ACL-DNAT interface f0/1 overload
In this case, we need to configure that router not to NAT the IPSec VPN traffic otherwise VPN tunnel would not be up. This could be done with the deny statement in top of the NAT ACL.
#ip access-list extended ACL-DNAT 9 deny ip host 172.16.10.10 host 192.168.20.10
#ip access-list extended ACL-DNAT 9 deny ip host 192.168.20.10 host 172.16.10.10
Having finished this article, you should be able to configure IPSec VPN site-to-site between two Cisco routers. It is a great idea if you could practice with GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.