The ultimate source for deep understanding and step by step configuration of Site-to-Site IPSec VPN

Site-to-Site IPSec VPN Tunnel, A Tunnels between two sites like offices or branches to make the transmission of data, voice and video secure. The tunnel is created over the public network called internet and a number of advanced encryption algorithms are used for encryption, so that data can be transmit between site confidentially.

Here we will discuss that how to setup and configure secure site-to-site VPN tunnel over internet by using IPSec protocol between sites.

Scenario:

We have two cisco routers at each of two branch offices with statically pre-configured public IP address on one of its ports.

There are two protocols, ISAKMP (Internet Security Association and key management protocol) and the second one is IPSec (IP Security) which are essential to create and encrypt the VPN tunnel.

ISAKMP also called Internet key Exchange (IKE) Protocol, it is a negotiation protocol that allows to agree two hosts to build an IPSec association. It has two phases called phase 1 and phase 2.

Fig-1: Site-to-Site IPSec VPN

Phase 1

The first tunnel has created in phase 1 which protects the ISAKMP negotiation messages.

Phase 2

The second tunnel has created in phase 2 that protects data. After that data has encrypted by using IPSec encryption algorithms which also provide authentication and anti-replay services.

To easily grasp the concept of IPSec VPN tunnel, let's follow the configuration steps of Phase 1 and Phase 2:

Before going to Phase 1 and Phase 2 have quick view of Basic configuration

We have one Cisco Router named R1-BA in Branch office at site A and similarly second Cisco Router named R2-BB in Branch office at site B.

Both routers R1-BA and R2-BB connected with internet by using public IP addresses.

R1-BA internal network (LAN) is 192.168.10.0/24 with configured 192.168.10.1/24 on inside interface FE 0/1 and public IP address 1.1.1.1 on outside interface FE 0/2.

R2-BA internal network (LAN) is 192.168.20.0/24 with configured 192.168.20.1/24 on inside interface FE 0/1 and public IP address 1.1.1.2 on outside interface FE 0/2.

Goal:

Our goal is to configure IPSec VPN tunnel between two branch offices to make them allow secure and non-restricted communication between LAN of R1-BA and LAN of R2-BB.

 

Phase 1 Configuration

R1-BA

ISAKMP Phase 1 policy:

R1-BA(config)#  crypto isakmp policy 1

R1-BA(config-isakmp)# encr 3des

R1-BA(config-isakmp)# hash md5

R1-BA(config-isakmp)# authentication pre-share

R1-BA(config-isakmp)# group 2

R1-BA(config-isakmp)# lifetime 86400

 

Encryption method for Phase 1 - 3DES

Hashing algorithm - MD5

Pre-shared key for authentication method - Pre-share

Diffie-Hellman group - Group 2

Session key lifetime - 86400

Similar configuration for other side on Branch office site B

R2-BB

ISAKMP Phase 1 policy:

R2-BB(config)#  crypto isakmp policy 1

R2-BB(config-isakmp)# encr 3des

R2-BB(config-isakmp)# hash md5

R2-BB(config-isakmp)# authentication pre-share

R2-BB(config-isakmp)# group 2

R2-BB(config-isakmp)# lifetime 86400

Point to be noted that ISAKMP Phase 1 is worked globally means that if you have to configure ISAKMP policies for three remote branches one for each, then in the negotiation process of VPN tunnel with each site the router will send all three policies and the matched one will be accepted at both sides.

Define pre-shared key ciscopresh in our case for authentication at both routers, which will be used every time when R1 of site A IP address 1.1.1.1 need to establish a VPN tunnel with R2 of site B IP address 1.1.1.2 vice versa.

R1-BA(config)# crypto isakmp key ciscopresh address 1.1.1.2

R2-BB(config)# crypto isakmp key ciscopresh address 1.1.1.1

 

Moving towards Phase 2 – IPSec …….

We need to follow these four steps to complete our target:

• Create an extended Access list
• Define IPSec Transform set for phase 2
• Create Crypto Map
• Apply crypto map to the interface

 

Let’s go through each step one by one.

Create an extended Access list

Create an extended access-list with the name VPN-ACL which will filter the traffic intended to pass through the VPN tunnel on the basis of source and destination. This type of Access list may also call Crypto Access list. In our case I am allowing the complete LAN from Site A to Site B and vice versa but we can also make it more specific as per requirement by using more specific wild card mask as per required range of IP addresses instead of /24.

R1-BA(config)# ip access-list extended VPN-ACL
R1-BA(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

Define IPSec Transform set for phase 2

Define transform set to protect the data and named it set1, encryption method we are going to use is ESP-3DES and the hashing algorithm is MD5.

R1-BA(config)# crypto ipsec transform-set set1 esp-3des esp-md5-hmac

 

Create Crypto Map

Create crypto map with the name map1, select sequence number from the range 1-65535 then set transform set we created earlier in step 2.

R1-BA(config)# crypto map map1 10 ipsec-isakmp

R1-BA(config-crypto-map)# set peer 1.1.1.2

R1-BA(config-crypto-map)# set transform-set set1

R1-BA(config-crypto-map)# match address VPN-ACL

Note that as we define the tag ipsec-isakmp in crypto map map1 which will tells to the router that crypto map map1 is an IPsec crypto map. We can declare multiple peers within a crypto map but in our current scenario we just declare the one we required that is 1.1.1.2

 

Apply crypto map to the interface

In the final and last step, we will apply crypto map map1 to the router’s outgoing interface which is connected with internet that is FE 0/2. Keep in mind that only one crypto map can be assigned to an interface.  

R1-BA(config)# interface FastEthernet0/2
R1-BA(config- if)# crypto map map1

After mapping the crypto map to the interface router will give the prompt message which confirm us that the ISAKMP has been ON.

Now move to the router 2 at branch office site B and configure the same commands.

R2-BB(config)# ip access-list extended VPN-ACL

R2-BB(config-ext-nacl)# permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

R2-BB(config)# crypto ipsec transform-set set1 esp-3des esp-md5-hmac

R2-BB(config)# crypto map map1 10 ipsec-isakmp

R2-BB(config-crypto-map)# set peer 1.1.1.1

R2-BB(config-crypto-map)# set transform-set set1

R2-BB(config-crypto-map)# match address VPN-ACL

R2-BB(config)# interface FastEthernet0/2
R2-BB(config- if)# crypto map map1

NAT with VPN

As Network Address Translation (NAT) is also required to provide the internet facility to our LAN users. But NAT is not required for site-to-site VPN so in this situation we also need to instruct router not to do NAT with deny statement on traffic need to go through VPN.

This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below:

Solution:

Create a deny statement in NAT access list at both routers.

R1-BA(config)# ip nat inside source list 100 interface fastethernet0/2 overload

R1-BA(config)# access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

R1-BA(config)# access-list 100 permit ip 192.168.10.0 0.0.0.255 any

 

R2-BB(config)# ip nat inside source list 100 interface fastethernet0/2 overload

R2-BB (config)# access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

R2-BB (config)# access-list 100 permit ip 192.168.10.0 0.0.0.255 any

 

We have done

We can check our connectivity by ping from the LAN of R1-BA to LAN of R2-BB. Also check internet connectivity from each LAN.

VPN Tunnel can also be checked in either way with show crypto session command.