1. Overview
The price of Cisco ASA firewall appliance is very expensive comparing to Cisco router. Due to budget limitation, some companies would prefer to use Cisco router as a VPN gateway instead of Cisco ASA firewall appliance.
In this article will demonstrate how to configure site-to-site IPSec VPN between two Cisco routers.
2. Prerequisites
In this tutorial, it is assumed that:
a. You already have Cisco router on GNS3 VM up and running. In case that you don’t, please follow this link. Installing GNS3 VM on VMware Workstation
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
3. Lab Scenario Set up
Below is the network diagram of GNS3 Lab that will be used to demonstrate configuring IPSec VPN site-to-site between two Cisco routers.
In headquarter there is an Cisco router with host name of HQRT01 and there is also a Cisco router locates in branch office with host name BRRT01. There is one router act as internet. The following is the IP configuration of each device.
On PC1
PC1> ip 172.16.10.10/24 172.16.10.1
On HQRT01
#int f0/0 no sh ip add 172.16.10.1 255.255.255.0 #int f0/1 no sh ip add 203.200.200.2 255.255.255.252
On Internet router
#int f0/0 no sh ip add 203.200.200.1 255.255.255.252 #int f0/1 no sh ip add 117.119.10.1 255.255.255.252
On BRRT01
#int f0/0 no sh ip add 192.168.20.1 255.255.255.0 #int f0/1 no sh ip add 117.119.10.2 255.255.255.252
On PC2
PC1> ip 192.168.20.10/24 192.168.20.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
| Firewall Type | Headquarter | Branch Office |
| Manufacturer | Cisco | Cisco |
| Model | Router | Router |
| Version | 12.4(15)T13 | 12.4(15)T13 |
| Configuration | Headquarter | Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | 3DES | 3DES | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@HQ2BR | vpn@HQ2BR | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | 3DES | 3DES | ||
| IPSEC Hash Algorithm | MD5 | MD5 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ No □Yes | Group □ 2(default) □ 5 □ 7 | PFS □ No □ Yes | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Headquarter | Branch Office |
| Peer IP address | 203.200.200.2 | 117.119.10.2 |
| Local IP address | 172.16.10.10/32 | 192.168.20.10/32 |
5. Configuration
5.1 Configure Default Route
Apply the the following default router configuration.
On HQRT01
#ip route 0.0.0.0 0.0.0.0 203.200.200.1
On BRRT01
#ip route 0.0.0.0 0.0.0.0 117.119.10.1
After apply default route configuration, now both HQRT01 and BRRT01 should be able to ping their public IP each other.
On HQRT01
HQRT01#ping 117.119.10.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 117.119.10.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/40/44 ms HQRT01#
On BRRT01
BRRT01#ping 203.200.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 203.200.200.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms BRRT01#
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both On HQRT01 and BRRT01.
#crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. The follow are the commands to be executed on HQRT01 to create a transform set name “HQ-TS01-3DES-MD5”.
#crypto ipsec transform-set HQ-TS01-3DES-MD5 esp-3des esp-md5-hmac
Apply the follow configuration on BRRT01 to create a transform set name “BR-TS01-3DES-MD5”
#crypto ipsec transform-set BR-TS01-3DES-MD5 esp-3des esp-md5-hmac
5.4 Create ACL For VPN Tunnel
To match the traffic for IPSec VPN tunnel, an ACL must be created.
Create the following ACL on HQRT01.
#ip access-list extended ACL-HQ2BR permit ip host 172.16.10.10 host 192.168.20.10
Create the following ACL on BRRT01.
#ip access-list extended ACL-BR2HQ permit ip host 192.16.20.10 host 172.16.10.10
5.5 Create VPN Tunnel Group
Create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
On HQRT01
#crypto isakmp key 0 vpn@HQ2BR address 117.119.10.2
On BRRT01
#crypto isakmp key 0 vpn@HQ2BR address 203.200.200.2
5.6 Configure and Apply Crypto Map
Below is the final step that we need to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.
On HQRT01
#crypto map HQ-VPN 1 ipsec-isakmp set peer 117.119.10.2 set transform-set HQ-TS01-3DES-MD5 match address ACL-HQ2BR #int f0/1 crypto map HQ-VPN
On BRRT01
#crypto map BR-VPN 1 ipsec-isakmp set peer 203.200.200.2 set transform-set BR-TS01-3DES-MD5 match address ACL-BR2HQ #int f0/1 crypto map BR-VPN
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in headquarter to PC2 in branch office.
PC1> ping 192.168.20.10 192.168.20.10 icmp_seq=1 timeout 192.168.20.10 icmp_seq=2 timeout 192.168.20.10 icmp_seq=3 timeout 84 bytes from 192.168.20.10 icmp_seq=4 ttl=62 time=35.695 ms 84 bytes from 192.168.20.10 icmp_seq=5 ttl=62 time=38.991 ms PC1>
We got the successful result to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQRT01.
HQRT01#sh crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication F - IKE Fragmentation Interface: FastEthernet0/1 Uptime: 00:04:52 Session status: UP-ACTIVE Peer: 117.119.10.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 117.119.10.2 Desc: (none) IKE SA: local 203.200.200.2/500 remote 117.119.10.2/500 Active Capabilities:(none) connid:1001 lifetime:23:47:40 IPSEC FLOW: permit ip host 172.16.10.10 host 192.168.20.10 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4607176/3307 Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4607176/3307 HQRT01#
5.8 IPSec Security Lifetime and PFS (Optional)
It is not required to set IPSec security lifetime and PFS. Without it the VPN tunnel still up and running. If it is needed, the following are the commands to configure it.
On HQRT01
#crypto map HQ-VPN 1 ipsec-isakmp set pfs set security-association lifetime seconds 86400
On BRRT01
#crypto map BR-VPN 1 ipsec-isakmp set pfs set security-association lifetime seconds 86400
5.9 IPSec VPN With Dynamic NAT on Cisco Router
Normally, Dynamic NAT is configured on Cisco router to provide internet access to all computers within Local Area Network (LAN).
On HQRT01
#int f0/0 ip nat inside #int f0/1 ip nat outside #ip access-list extended ACL-DNAT permit ip 172.16.10.0 0.0.0.255 any #ip nat inside source list ACL-DNAT interface f0/1 overload
On BRRT01
#int f0/0 ip nat inside #int f0/1 ip nat outside #ip access-list extended ACL-DNAT permit ip 192.168.20.0 0.0.0.255 any #ip nat inside source list ACL-DNAT interface f0/1 overload
In this case, we need to configure that router not to NAT the IPSec VPN traffic otherwise VPN tunnel would not be up. This could be done with the deny statement in top of the NAT ACL.
On HQRT01
#ip access-list extended ACL-DNAT 9 deny ip host 172.16.10.10 host 192.168.20.10
On BRRT01
#ip access-list extended ACL-DNAT 9 deny ip host 192.168.20.10 host 172.16.10.10
6. Conclusion
Having finished this article, you should be able to configure IPSec VPN site-to-site between two Cisco routers. It is a great idea if you could practice with GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
Comments
Related posts:
Configuring Site-to-Site IPSec VPN Between Cisco ASA Firewall IOS Version 9.x and Cisco Router
Adding More Peer to Existing IPSec VPN Site-to-Site Tunnel With Cisco Router
Understanding Security Level in Cisco ASA Firewall Appliance
Configuring DMVPN Hub and Spokes With IPSec and OSPF on Cisco Routers