Site to Site IPSec VPN Tunnel :
Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.
This article will show how to setup and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the Internet, using the IPSec protocol.
ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases:
1. Phase 1 : creates the first tunnel, which protects later ISAKMP negotiation messages.
2. Phase 2 : creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services.
IPSec VPN Requirements :
To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSec VPN Tunnel to work.
These steps are :
(1) Configure ISAKMP (ISAKMP Phase 1)
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IP Address assigned by their ISP as shown on the diagram :
#. Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 18.104.22.168/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.
#. Configure ISAKMP (IKE) – (ISAKMP Phase 1) :
To begin, we’ll start working on the Site 1 router (R1).
First step is to configure an ISAKMP Phase 1 policy :
R1(config)# crypto isakmp policy 1
The peer’s pre shared key is set to firewallcx and its public IP Address is 22.214.171.124. Every time R1 tries to establish a VPN tunnel with R2 (126.96.36.199), this pre shared key will be used.
Configure IPSec :
To configure IPSec we need to setup the following in order :
Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 188.8.131.52/24. Access-lists that define VPN traffic are sometimes calledcrypto access-list or interesting traffic access-list.
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 184.108.40.206 0.0.0.255
Create IPSec Transform (ISAKMP Phase 2 policy)Next step is to create the transform set used to protect our data. We’ve named this TS:
The above command defines the following :
R1(config)# crypto map CMAP 10 ipsec-isakmp
Apply Crypto Map to the Public Interface :The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1.
R1(config- if)# crypto map CMAP
#. We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists :
R2(config)# crypto isakmp policy 1
R2(config)# crypto isakmp key firewallcx address 220.127.116.11