Private WAN services such as leased lines and MPLS provide security because each customer’s traffic is separated by using dedicated physical connections (leased lines, for example) or by using MPLS tags. However, when using the internet as a WAN to connect sites together, there is no built-in security by default. To provide secure communications over the internet, VPNs (Virtual Private Networks) are used.
There are two kinds of internet VPNs: Site-to-site VPNs using IPsec and Remote Access VPNs using TLS.
A site-to-site VPN is a connection between two devices and is used to link two sites together over the internet. In a site-to-site VPN, a VPN tunnel is created between the two devices by encapsulating the original IP packet with a VPN header and a new IP header. When using IPsec, the original packet is encrypted before being encapsulated with the new header. This is what makes IPsec secure.
Here is a summary of how an IPsec tunnel works:
- The sending device combines the original packet and encryption key and runs them through an encryption formula.
- The sending device encapsulates the encrypted packet with a VPN header and a new IP header.
- The sending device sends the new packet to the device on the other side of the tunnel.
- The receiving device decrypts the data to get the original packet and then forwards the original packet to the destination.
In a “site-to-site” VPN, a tunnel is formed only between two tunnel endpoints (for example, two routers connected to the internet). All other devices in each site don’t need to create a VPN for themselves. They can send unencrypted data to their site’s router, which will encrypt it and forward it in the tunnel as described above.
There a limitation to standard IPsec. IPsec doesn’t support broadcast and multicast traffic, only unicast traffic. This means that routing protocols such as OSPF can’t be used over the tunnels because they rely on multicast traffic. This can be solved with GRE over IPsec, which we will cover in another post.
In this post, I will show you How to Configure IPSec VPN Tunnel in Cisco Router.
Let’s get started;
Network Topology
The network topology we will be making use of in this post is shown below. As you can see, it consists of two routers with separate connections to the internet. In this demonstration, we will be configuring an IPSec VPN tunnel between the two routers so that communications between the two routers through the internet(Router2) will be secured.
How to Configure IPSec VPN Tunnel in Cisco Router
Here are steps to configure an IPSec VPN tunnel on Cisco routers using the network topology shown above.
Step 1: Configure the Interfaces of the Routers
The first step is to assign an IP address to the interfaces of the routers. The configuration to do this is shown below.
Router 1
R1(config)#interface ethernet0/0
R1(config-if)#ip address 11.11.11.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface ethernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
Router 2
R2(config)#interface ethernet0/0
R2(config-if)#ip address 11.11.11.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface ethernet0/1
R2(config-if)#ip address 22.22.22.5 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#exit
Router 3
R3(config)#interface ethernet0/0
R3(config-if)#ip address 22.22.22.6 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface ethernet0/1
R3(config-if)#ip address 192.168.21.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
Step 2: Configure Default routes
A default route is a route the router will forward traffic to if the route to the destination of the traffic is not in the routing table. In the network we are using for the demonstration, we will be configuring default on both Router 1 and Router 3.
Router 1
R1(config)#ip route 0.0.0.0 0.0.0.0 11.11.11.2
Router 3
R3(config)#ip route 0.0.0.0 0.0.0.0 22.22.22.5
Step 3: Configure IPSec VPN Tunnel
Like we stated before, the IPSec VPN tunnel we are creating in this demonstration is between Router1 and Router3, so the configuration is going to be on each of the routers.
Router 1
R1(config)#crypto isakmp policy 10 <-- [Step1]: Configure ISAKMP (IKE) - (ISAKMP Phase 1) -->
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco123 address 22.22.22.6 <-- [Step2]: Define a pre shared key for authentication with our peer (R3 router) -->
R1(config)#crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac <-- [Step3]: Create IPSec Transform (ISAKMP Phase 2 Policy) -->
R1(cfg-crypto-trans)#exit
R1(config)#access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.21.0 0.0.0.255 <-- [Step4]:Creating Extended ACL (source network to destination network) -->
R1(config)#crypto map AESMAP 10 ipsec-isakmp <-- [Step5]: Create Crypto Map -->
R1(config-crypto-map)#set peer 22.22.22.6
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#exit
R1(config)#interface ethernet0/0 <-- [Step6]: Apply Crypto Map To The Public Interface -->
R1(config-if)#crypto map AESMAP
R1(config-if)#exit
*Dec 29 11:15:23.206: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON <-- As soon as we apply crypto map on the interface,
we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.
Here’s a brief explanation of the above commands:
crypto isakmp policy 10
: This command is used to configure an Internet Security Association and Key Management Protocol (ISAKMP) policy with a policy number of 10. ISAKMP is also known as Internet Key Exchange (IKE), and it is used to establish a secure communication channel (ISAKMP Phase 1) between two devices before setting up a VPN tunnel.encryption aes 256
: Within the ISAKMP policy configuration mode (config-isakmp
), this command specifies the encryption algorithm to be used for securing the ISAKMP Phase 1 negotiations. In this case, it selects AES (Advanced Encryption Standard) with a key length of 256 bits.hash sha256
: Also within the ISAKMP policy configuration mode (config-isakmp
), this command specifies the hashing algorithm to be used for integrity protection during the ISAKMP Phase 1 negotiations. It selects the SHA-256 (Secure Hash Algorithm 256-bit) hash algorithm.authentication pre-share
: Within the ISAKMP policy configuration mode (config-isakmp
), this command specifies the method of authentication to be used during ISAKMP Phase 1 negotiations. In this case, it sets the authentication method to pre-shared keys (PSK), where both parties (R1 and the remote peer) must have a pre-configured shared secret to authenticate each other during the negotiation process.crypto isakmp key cisco123 address 22.22.22.6
: This command is used to configure a pre-shared key (PSK) for authentication during the ISAKMP (IKE) Phase 1 negotiation process. The key “cisco123” is configured to authenticate communication with the peer device located at IP address 22.22.22.6. This key is used to authenticate the phase 1 negotiation process between R1 and the remote peer.crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
: This command is used to define an IPsec transform set named “TS”. A transform set specifies the combination of encryption and integrity algorithms to be used for protecting IPsec-protected traffic. In this case, it specifies the use of the ESP (Encapsulating Security Payload) protocol for encryption and the AES algorithm with a key length of 256 bits (esp-aes 256
) for data confidentiality. Additionally, it specifies the use of the SHA-256 HMAC (Hashed Message Authentication Code) algorithm (esp-sha256-hmac
) for integrity protection. This transform set defines the security parameters used for IPsec-protected traffic between R1 and its remote peer.access-list 100 permit ip 192.168.12.0 0.0.0.255 192.168.21.0 0.0.0.255
: This command creates an access control list (ACL) numbered 100. It permits IP traffic (permit ip) from the source network 192.168.12.0/24 to the destination network 192.168.21.0/24. This ACL will be used later to define interesting traffic that should be protected by the VPN tunnel.crypto map AESMAP 10 ipsec-isakmp
: This command creates a crypto map named “AESMAP” with sequence number 10. It specifies that this crypto map will be used for IPsec and ISAKMP (IKE) negotiations.set peer 22.22.22.6
: Within the crypto map configuration mode (config-crypto-map
), this command specifies the IP address of the remote peer device with which R1 will establish the VPN tunnel.set transform-set TS
: Also within the crypto map configuration mode (config-crypto-map
), this command specifies the transform set named “TS” that defines the encryption and integrity algorithms to be used for protecting the VPN traffic.match address 100
: Within the crypto map configuration mode (config-crypto-map
), this command specifies the ACL 100 created earlier. It associates the ACL with this crypto map, indicating that traffic matching the ACL criteria should be protected by the VPN tunnel defined by this crypto map.crypto map AESMAP
: This command is applied to an interface (e.g., an Ethernet or WAN interface) to activate the previously configured crypto map (“AESMAP”) on that interface. This enables the interface to participate in the VPN establishment process and to encrypt/decrypt traffic according to the parameters defined in the crypto map.
Router 3
R3(config)#crypto isakmp policy 10 <-- [Step1]: Configure ISAKMP (IKE) - (ISAKMP Phase 1) -->
R3(config-isakmp)#encryption aes 256
R3(config-isakmp)#hash sha256
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco123 address 11.11.11.1 <-- [Step2]: Define a pre shared key for authentication with our peer (R1 router) -->
R3(config)#crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac <-- [Step3]: Create IPSec Transform (ISAKMP Phase 2 Policy) -->
R3(cfg-crypto-trans)#exit
R3(config)#access-list 100 permit ip 192.168.21.0 0.0.0.255 192.168.12.0 0.0.0.255 <-- [Step4]: Creating Extended ACL (source network to destination network) -->
R3(config)#crypto map AESMAP 10 ipsec-isakmp <-- [Step5]: Create Crypto Map -->
R3(config-crypto-map)#set peer 11.11.11.1
R3(config-crypto-map)#set transform-set TS
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface ethernet0/0 <-- [Step6]: Apply Crypto Map To The Public Interface -->
R3(config-if)#crypto map AESMAP
R3(config-if)#exit
*Dec 29 11:23:40.171: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON <-- As soon as we apply crypto map on the interface, we receive a message from the router that confirms isakmp is on: “ISAKMP is ON”.
Step 4: Configure Host Devices
As shown in the network topology, we only have two host devices: one at Router 1 and the other at Router 2.
PC2
Disable the routing table, configure the IP address on Ethernet0/0, set the IP gateway on PC2, and try to ping the gateway (192.168.21.1).
PC2(config)#no ip routing
PC2(config)#interface ethernet0/0
PC2(config-if)#ip address 192.168.21.2 255.255.255.0
PC2(config-if)#no shutdown
PC2(config-if)#exit
PC(config)#ip default-gateway 192.168.21.1
PC1
Disable the routing table, configure the IP address on Ethernet0/0, set the IP gateway on PC1, and try to ping the gateway (192.168.12.1).
PC1(config)#no ip routing
PC1(config)#interface ethernet0/0
PC1(config-if)#ip address 192.168.12.2 255.255.255.0
PC1(config-if)#no shutdown
PC1(config-if)#exit
PC1(config)#ip default-gateway 192.168.12.1
Step 5: Verify that The IPSec Tunnel is created
We can do this by running the “show crypto session” command from the global config mode of each of routers 1 and 3.
R1#show crypto session
Crypto session current status
Interface: Ethernet0/0
Session status: UP-ACTIVE
Peer: 22.22.22.6 port 500
Session ID: 0
IKEv1 SA: local 11.11.11.1/500 remote 22.22.22.6/500 Active
IPSEC FLOW: permit ip 192.168.12.0/255.255.255.0 192.168.21.0/255.255.255.0
Active SAs: 2, origin: crypto map
R3#show crypto session
Crypto session current status
Interface: Ethernet0/0
Session status: UP-ACTIVE
Peer: 11.11.11.1 port 500
Session ID: 0
IKEv1 SA: local 22.22.22.6/500 remote 11.11.11.1/500 Active
IPSEC FLOW: permit ip 192.168.21.0/255.255.255.0 192.168.12.0/255.255.255.0
Active SAs: 2, origin: crypto map
Step 6: Test Connectivity
You can test connectivity by pinging from PC1 to PC2.
PC1#ping 192.168.21.1 <-- Ping to gateway of PC2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PC1#ping 192.168.21.2 <-- Ping to PC2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PC2#ping 192.168.12.1 <-- Ping to gateway of PC1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PC2#ping 192.168.12.2 <-- Ping to PC1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Related Content
How to Configure “GRE over IPSec Tunnel” on Cisco Routers (Site-to-Site)
How to Configure GRE VPN Tunnel in Cisco Router (Site-to-Site)
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below