Site to Site IPsec VPN

CCNP Route (300-101) Lab: Configuring Site to Site IPsec VPN

Scenario: Site to Site VPN connects 2 different offices network to each other securely (encrypted traffic). End users do not require a VPN client to connect. Traffic will be routed through the VPN gateways. Users in 10.1.1.0/24 network will be connected via Site to Site VPN to users in 172.16.1.0/24 network.

VPN Configuration Steps

1. ISAKMP Policy

- Specifies the initial VPN security details

2. IPsec Details

- Specifies how the IPsec packets will be encapsulated

3. Crypto ACL

- Specifies the traffic that will trigger the VPN to activate

4. VPN Tunnel Information

- Creates the crypto map that combies ISAKMP policy, IPsec transform set, VPN peer address, and crypto ACL

5. Apply the Crypto Map

- Identifies which interface is actively looking to create a VPN

Configuration:

R1

en

conf t

host R1

int s0/0/0

ip add 1.1.1.1 255.255.255.0

no shut

int fa0/0

ip add 10.1.1.1 255.255.255.0

no shut

exit

router eigrp 1

network 1.1.1.0 0.0.0.255

network 10.1.1.0 0.0.0.255

no auto-summary

exit

crypto isakmp policy 1

encryption aes

authentication pre-share

group 2

exit

crypto isakmp key cisco123 address 2.2.2.1

crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac

access-list 110 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

crypto map HQ-MAP 10 ipsec-isakmp

set transform-set HQ-VPN

set peer 2.2.2.1

match address 110

exit 

int s0/0/0

crypto map HQ-MAP

exit

R2

en

conf t

host R2

int s0/0/0

ip add 1.1.1.2 255.255.255.0

no shut

int s0/0/1

ip add 2.2.2.2 255.255.255.0

no shut

exit

router eigrp 1

network 1.1.1.0 0.0.0.255

network 2.2.2.0 0.0.0.255

no auto-summary

exit

R3

en

conf t

host R3

int s0/0/1

ip add 2.2.2.1 255.255.255.0

no shut

int fa0/0

ip add 172.16.1.1 255.255.255.0

no shut

exit

router eigrp 1

network 2.2.2.0 0.0.0.255

network 172.16.1.0 0.0.0.255

no auto-summary

exit

crypto isakmp policy 1

encryption aes

authentication pre-share

group 2

exit

crypto isakmp key cisco123 address 1.1.1.1

crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac

access-list 110 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto map HQ-MAP 10 ipsec-isakmp

set transform-set HQ-VPN

set peer 1.1.1.1

match address 110

exit 

int s0/0/1

crypto map HQ-MAP

exit

Show Commands:

To check whether the tunnel was successfully established, you may use the following show commands:

show crypto isakmp sa

show crypto ipsec sa

show crypto session

show crypto map

Example:

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

2.2.2.1         1.1.1.1         QM_IDLE           1070    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1#

Note: You must have basic knowledge of CCNA or equivalent as this is the prerequisite for CCNP. This lab is using Packet Tracer with C2811 router. Only C2811 and C1841 router images in Packet Tracer supports VPN commands.